23542300x800000000000000051235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:32.462{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE93B9CE5CC43011D2B8B3946A07821,SHA256=E02B3F81EA243F7608D158E6F65FCA30B29251D93D00040E4CE1B2B0F937FAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.902{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.903{F81F30E6-F0EC-62DF-0F04-000000006F02}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.387{F81F30E6-F0EC-62DF-0E04-000000006F02}20165260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.239{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9B4D2B05F9DEBBC07078D69CA40A63,SHA256=E3D32B67CBE4933A8CDFCFF776CE475FC4F710E9281FBDD196B019A11E68426F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.218{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.219{F81F30E6-F0EC-62DF-0E04-000000006F02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.018{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:32.024{F81F30E6-F0EC-62DF-0D04-000000006F02}6736C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython httpserv.py 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000051237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:33.962{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=78C380BE98472140E15A338F49D9ABA5,SHA256=6D4EF96040D98C5C2C34C8CC2E1704D57E20B0306AB8D23453BD858D15BB9A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:33.556{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F9EDF60A22012E40B74678DF76CFA5,SHA256=B3CC1F37ACC6D8456AC1EF7DBE23C57D408520912C2476F49249EF0C7662086C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.471{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.473{F81F30E6-F0ED-62DF-1004-000000006F02}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.271{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692A35FB9440CCCC93CC5483E07DCA0B,SHA256=53A261D2529434F8232B79099E7AA9DBA30432403951DCF7933604126D0D4D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.155{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FE87C2CC0CDB554EA6BFEC257009F17,SHA256=234E1D58C3946ECDBCC6487C6313B0F4A13A1023F7E51F305C590AF3ED580D8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:33.102{F81F30E6-F0EC-62DF-0F04-000000006F02}70445272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:34.650{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF55C514411394DC98C2C02FB19663FD,SHA256=7ACA9C3C8ECADD1A5F9D2D1817322101B98D3D1EAC446563E3136755675AFAFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.971{F81F30E6-F0EE-62DF-1204-000000006F02}48847892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.802{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.803{F81F30E6-F0EE-62DF-1204-000000006F02}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000273947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.671{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E2D2B2EA3EBFD3EDE463F826B47C7AE4,SHA256=1A094B9CB44A0476D6AED28934DC01E534B7C5C8A9BC25C8DA75814F111062D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.356{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1357AD5C368EDB1F96AD2DA872DC5F,SHA256=AF38D0C9D82C9A583BD78158E07972190B9338AF693E4006C2B915C202B49923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.137{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.136{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.136{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.135{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.134{F81F30E6-F0EE-62DF-1104-000000006F02}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000273937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.018{F81F30E6-D97C-62DF-1500-000000006F02}12287656C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:34.018{F81F30E6-D97C-62DF-1500-000000006F02}12287656C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:35.744{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110E721AB9F04700360259143275961C,SHA256=6E72A61CD0FC39C35AF9B2722DAE3BB92304C7C809ADA38FC8972DAE0CE212E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.639{F81F30E6-F0EF-62DF-1304-000000006F02}44281696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.517{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344F0E1802D11A01A4209333C89B7CF5,SHA256=6FD9CEEFEB4151287FA03C714E5F18469520D685762913785045551AB0E9A3FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.486{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.487{F81F30E6-F0EF-62DF-1304-000000006F02}4428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:36.838{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D59D16345E312AD9AD3DE201A774084,SHA256=E48F811512BDE652ADF2F70FF4C37E322E6177B619EC7683F0B7A1327BDF3B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.555{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7CF5FFCCC6A66BAD689B4613F70C25,SHA256=156DE374EFEECD07D2EB8B81B61F3D1B6FE765F9E8C9DE62E9AD159D546CFD29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000273968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.154{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000273967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:36.155{F81F30E6-F0F0-62DF-1404-000000006F02}7652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:37.932{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C2D07F6162EA62C65662883E422D9D,SHA256=38FCF51094683770EDB0D68E22CF63FB49BE3163F1C325476F31AC5D61897889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000273984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.602{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E44F824DDA3FCD6EA80328BE66854EE,SHA256=424537488F39A7253935DC31E9DE1BE850FE0C720B8C459840CF5BD2F5B8F838,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:37.018{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.654{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF551B2F1CD02578C7D2425830A19F7B,SHA256=E806295DCEDAC0889056C8E0EC4DE3B0DAF4A64427014B7E6246EC34791C196C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:36.191{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50882-false10.0.1.12-8000- 354300x8000000000000000273985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:35.039{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64766-false10.0.1.12-8000- 23542300x8000000000000000273995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.699{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C1FC521771261F41AC632C7CC659B5,SHA256=31EEF755B3175F7022F7E87901CB6453B6CE66E2647F227CB032454511976254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:39.026{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42F7B158C9D5277A7D5CF24CEF00B97,SHA256=FD672A9EA1C2A2A16743E61BDD49A8ACA378B779A66B9278749ADA5DA2F15CA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000273987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.069{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000273997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:40.833{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4794C86EB851820081D7DE1A497325,SHA256=0942710ED36C2E9735BFD600D55EB5AA64B9E33C577E22078631C8C047270693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:40.120{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2660132A3616C932A5F0E0EC83EA5EB,SHA256=824F06B961028C3D6FFBF107E7BDEF6CA024D3624EEC40C7539B43C191675927,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000273996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:40.400{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000274002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:41.983{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58CC9CEF92A9A302BC50BFFEE6B7C85,SHA256=B42EACA683F943EF31062D7435BEF6A410AD670D27340479AE5B11CC23E5C442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:41.213{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE124DE5E710B08EB7D4B622818E2FD,SHA256=FD2C1CCBD0E25DA305D018B2B2F9DA6CAE176E19088FC0E51F0514F71B0652F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:41.483{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19211FB5FC8842648589137B2EA2439A,SHA256=0FC649368703A85210D99AF458D44C1BB3BBA62B79BA3C08F63865D2FB92385C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.576{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local59228-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000273999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.575{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61708- 354300x8000000000000000273998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:38.574{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54314-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 23542300x800000000000000051246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:42.307{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367FA74B9D4F9B4CBA56D8E11CAEA19F,SHA256=DF5EC9F525973980206D06CACEB7B16F0CDB1B381A9B34C7644A44A083696E10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.403{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64767-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000274003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:39.403{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64767-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 23542300x800000000000000051248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:43.401{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E936511B5F809D660E70E9CBDA023D7F,SHA256=16A531F29A2B099A8E63E2BDF58CD9B476F743D48AB323CDCE1A51916E9DC405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.435{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:40.255{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64768-false10.0.1.12-8000- 10341000x8000000000000000274013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.251{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.263{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython httpserv.py -p 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000274005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:43.031{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9688D8182382BD69442B02FC7F8FCF,SHA256=FA51F42466DA5C9A12D22046F00CF1930533146A36E5172AE26C33AAC8449EAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:41.317{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50883-false10.0.1.12-8000- 23542300x800000000000000051249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:44.495{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5C52057FBC5B30C492354DB3447A23,SHA256=DBC77BB04504B40D8D905B8409FFD379A8EF3886C9B6983749DFD94323E5454C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:44.081{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8DEEA6F84EB125F64F9F3F37C897F4,SHA256=5335005E4C5121C2E8E143D5C752BBF792C776781E2489ECF6C5672928F7E736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:45.792{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:45.589{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808A879257B2613D695AFCE2C5CF9FD4,SHA256=966EEC06A8B3607BC083A9948BA1E5281D41F944EC071C90462E18EF621BDD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:45.111{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C68233072AEF53374D8CE7C10AD8730,SHA256=67EDA6AABC88D0A257503106F589919ECAFCFB5FFF852A28334FD2602EE9C8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:46.682{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF7EAB40DAEBAAF80D9D1B688C1F1DB,SHA256=00473E416CEDA7CFDFD73BE7B05934416988D152DE8378EFD8CAA6FA0ED501A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.729{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 13:49:46.727 23542300x8000000000000000274023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.729{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.728{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 13:49:46.727 11241100x8000000000000000274021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.529{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:49:46.527 23542300x8000000000000000274020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.528{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000274019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.527{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:49:46.527 23542300x8000000000000000274018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.149{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511BC1E184122B63697E6D38F333E22B,SHA256=82182443D0472E87577121EC5AD0E6DE7E4B362E797B648F29517AB7D1DDB1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:47.776{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AAF8D50C6F5333DAF0AF4F95056D08,SHA256=057F524C2742752E9F328450FC9AF6ACFE42C5F337544FABE376AFFFB58AD51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:47.745{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=627402102D3BA5B7E986D4E343DA19AF,SHA256=BE649F9F3746B73A4999EA3242F1F6BEEC392F8C66D3D7CF6C3DEA1186D9268C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:47.747{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:47.279{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3C7E2A105973726BBB36D24E54075F,SHA256=44954D7B3D4055108BF6E7D380951C2F03985ED485CADF4681E7203C44EE1FF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:45.848{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50884-false10.0.1.12-8089- 23542300x800000000000000051257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:48.870{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D548874DAB2660851CE9989A1A33E2,SHA256=72D690E43186D9600088E9E3D05DB42B50182C24EF8B0A5F7EB76196B2FF8149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.729{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.430{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CFC1DFAC89EEC55E2BE01C692B1097,SHA256=DF5FCFBB5755A97EA7D44C19526F9B7931CEE63E007C580002A4188E8CA7B632,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:46.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50885-false10.0.1.12-8000- 354300x8000000000000000274035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:46.067{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64769-false10.0.1.12-8000- 10341000x8000000000000000274034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:48.210{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:49.963{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C74027EAFFA8EC1E49349E8DF8E9EED,SHA256=AF74189B433DD97BD15CD902E8524410F286507AAF5A046EEA14A2A288AAA459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:49.893{F81F30E6-DE12-62DF-7B01-000000006F02}62606932C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-EFFF-62DF-F303-000000006F02}3988C:\Temp\dcrat.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5559f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+6d93|UNKNOWN(00007FF973F14401) 23542300x8000000000000000274038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:49.477{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E408835EA83786970A65DB4D14DF6E9,SHA256=0A07517521BC84927769FD453DF81D6F930EADE79D3F7A052F7C424A1C9582F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.844{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.844{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.844{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.807{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.807{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:50.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DD2886FDFC248B42DB05C7E049037D,SHA256=9D13CDC029FED2EBA94F0C4F5F5231F0768FF454A8D29A9B9EC9DC9D3108A87A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.675{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B6390A7FA95FC8C1052FF76BF19E1A,SHA256=5BDED9BF85C951DB5B2A2A0E19F368D699A4F3AA7CFEAE52504E5EC139DB798F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:51.057{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E1274599DA9592E775E413527BA2C4,SHA256=661BA192DE8DBCF122AB1631B7E07039F4A13E04133AED72148B6E23FB73F61E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:47.712{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64770-false10.0.1.12-8089- 23542300x8000000000000000274080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342B2B0228873839E4CA741FDD690DBA,SHA256=75ABBED59D8FAEB142EB0BD588719BC5D6639A79299DA575E907723FEF69DCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:52.151{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECCE7EDC6A00AA145031C2A45D03A56,SHA256=901ABFC6731D9C76C825E9FE51C526ABCD46B31D898C407EAC7FBC8D2D15E924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.190{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=340E2398A4442A0BB3207DA871A00455,SHA256=C917D2E35AD8C11867467314E726EA880A904582A6AAA5774C8314AA2A5B0B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.159{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.106{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.106{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.090{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.075{F81F30E6-DE12-62DF-7B01-000000006F02}62607320C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E8F4BC) 10341000x8000000000000000274073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.028{F81F30E6-DE12-62DF-7B01-000000006F02}62602128C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E37196) 10341000x8000000000000000274072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.028{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.028{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E4383B) 10341000x8000000000000000274067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.024{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.026{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.024{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E37196) 10341000x8000000000000000274064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.024{F81F30E6-DE12-62DF-7B01-000000006F02}62607320C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E33AC9) 10341000x8000000000000000274063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.006{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7105|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-DE12-62DF-7B01-000000006F02}62605680C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.001{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe5.15.2.0-libGLESv2-libGLESv2.dll"C:\Temp\dcrat.exe"C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=E06895CC68C528CCD69780358C4A9DA8,SHA256=A7BC5B997A4051EF86F2BEC3C3E21254AFF16F8CFFF9ECFBBC06F73DA39D5F9D,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000274051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:51.990{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.921{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6E1639A35DF52F730346C291F5AB42,SHA256=A038F9011155C266D14DAA359E8E107922E2084835C5727637A5541D21350D32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:52.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50886-false10.0.1.12-8000- 23542300x800000000000000051261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:53.245{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21095576D9AF3B396DF1B3B7EB8B6FC1,SHA256=F34CFD8EC9C96019EF1DBA1AF82619F9F573D3A89AEB0D078376F088C0CD68F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:54.338{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E09DF36E99ABC75FCE5E6FD521EC6B,SHA256=FC4337127CCDC1229C5DC9D30EFB407615601D846C7EAB2A76D21464F009EE00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:54.599{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:54.599{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:54.560{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:52.093{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64771-false10.0.1.12-8000- 23542300x800000000000000051264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:55.432{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4938BEFB8AF3B3FABD266E702B30D37C,SHA256=124E65B6282AF61A3AE04BBA350F7C55DCF565443F6CC72FC0EAFFE53E11892F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:55.234{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 23542300x8000000000000000274086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:55.033{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09C8C2963361048700E626164EB5B4E,SHA256=0B0E7D52BA771667F37BF12AD313BF946E723F9BD7D95413514F3F79623065F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:56.526{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4481553CB67160B2E3C8A7DF7B4DEC0B,SHA256=8895CF8C0D61F042971A26F517F801AAF2076D02B50D6FD8C357B50E20FF60E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.988{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58217- 354300x8000000000000000274093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.987{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55136- 354300x8000000000000000274092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:53.987{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55136-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 10341000x8000000000000000274091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000274090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.348{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5bfb2e.TMPMD5=07A8EEA392A63B45D05AB07AEB53AD56,SHA256=96E0E3067BEB1889266221D44DC4BAF875CDC9DF47F2E353EE64800B14CE381D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:56.149{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADA023A1C88955D40F28A2F7451F725,SHA256=FE596ED0DC483F3AA08F85F892AE3F3E5E7D81545F5B662B99E8904F9CF58BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:57.299{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1B6B2658098B5EEDA9AFED5685E1A9,SHA256=A58F8F05ED91898CECFE74A2C3758A85073B3298AAFC0B65B4975A5AB9F20C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:57.620{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F306C3B2F9B2B5D1E9236850E5E380C1,SHA256=BF08C63721578580BCF342D1F7885814A443B4AD1784DB4912AA659FEFBFF4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:58.713{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1530F351E87D7826CE1711C4E9029F7,SHA256=AEBB8EB565C61DD3A756EBC963659E8D099926C794FBCE8C06F5A73D60ADA3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.978{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.978{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B1985CC2A068949D8275BD8D7AA322D3,SHA256=6642EBBFB4D1461B1AA941134CA5B1C3FBC50DCF88865D2770476D4E5DF0F489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.432{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF9A03BEED2E1194F72CC15ABB1DE9,SHA256=42C2093F7E56CC3FF228A44D52B320516F2F7A5D467C7D6CB5DC372D51ED603F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:58.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50887-false10.0.1.12-8000- 23542300x800000000000000051268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:49:59.807{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E5C56C1D723520658BBA70120E30A8,SHA256=49A3A482E4E4BF49DF9AE1BCC35B864A02BE39BB511CE8AC47CC4D29ABDBD4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:59.478{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC006122B7D648E05A132EBF991C4FB,SHA256=44D9A078156D31ABBBCEA0E655EACD10A4A18846514C16C3D6CDDCA5F6C95043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:59.231{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=F8ED0B3FE5B133867F217DC2CE052A31,SHA256=ADA40FD4B6FD7F5F96A103B85BA98E2829AA1695AEA1906D5A1718F2F33E2189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:00.901{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18F60E464D0A52B900D9AE5F78BC193,SHA256=8F0B51A3265C89499664634536217CBE6261221405EE4A33A4FA2D3B80BCE83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:00.630{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A955D2B3EA26FCF3D45E258C3A65CF,SHA256=E309D526BA4C5BA586F6C9FE5DE1CAA8AAF0339650B3AC29A8733759EBB1F365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:49:58.050{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64772-false10.0.1.12-8000- 23542300x800000000000000051271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:01.995{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E82EAA9B8158AFACC614D85DFB01EF8,SHA256=DCE4B5086C853A210DA1A8FFB6CCDB3FD64E006721981803398804CE2E100EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.746{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA78E1BCB563B1C83D0F743D603EEC29,SHA256=3FAC28AA49CA227E9624A5C0FBAA3B56F91437E348407127FD2E93DDACBB5379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.213{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7D6EAAB285E6E7E461BE7693920542E,SHA256=53849F8D439CCAA798B74152BE4517DD9049BB5FF79E512AF7CD59EE16EE2223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:02.863{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB974BF74B75EB4F24F68382DFC829F4,SHA256=BC9B7DC7309A5D88B4251CD6341D259BBA2B8956E72E282FA9EC594224F8057E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:03.979{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B60E6C53118039B60540322B302F407,SHA256=1454ED85936CE6FB30036043B267E18AE13C7CB75EC8FC30E5603D31EDCDC890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:03.088{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1287EDCFDF422D490ED6A243DB2FB0B0,SHA256=08E24443A4A51448604D4C2FB6AB8A42DC3ABFEEBFA58072D7256842BA6537B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:03.648{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF88C37AAC6000B9151F96B5B24FC6E8,SHA256=39E9FCE63682135685D980915F4530C36A5A76F9FCDDA67E525F686B641CC9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:04.326{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-097MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:04.182{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3FF540F23BADA1BA3FF30C29A19334,SHA256=35A99D01F217305311C15BAB7C0CD1F37828D5482901D15C938794A7AB1F22B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.596{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64773-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:01.596{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64773-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000051277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:04.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50888-false10.0.1.12-8000- 23542300x800000000000000051276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:05.325{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:05.277{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCDAA375BB862805DD6F7761A68E712,SHA256=A5CF0DB6F02596C703BADB933CDD1274DEF3ABD7F0725A87B58C072B57BD4AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:05.015{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9536E8CBBD20C010969E7494E94858B6,SHA256=63178F5BD6158712918ECF724ECD45BF1B8BCDEA8D25DBDE90C1274289C57C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:06.371{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF119AB48397320588306FFEBBDA66D,SHA256=0BCEA23E89FB649DF618D6C2A23DD3CD0EC5A8E5C64E39B3348F2549DD2CABF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:03.226{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64774-false10.0.1.12-8000- 23542300x8000000000000000274111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:06.062{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75E32AD44AC5B134F4B8ABDC07385C8,SHA256=086BD3BA68599187F7DFE86A13ACFF12A00A03F254607DB0ECF910B11EDA9B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:07.464{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C51F9A0E2E0C70995CA291112237193,SHA256=5DB39C5A3A1CC8BE514CC32B70F3AE68C2591D03B69EC33C23EBB780B04019BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:07.751{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:07.751{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:07.181{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C498F09FFE0743887E77CB872EE74DA9,SHA256=2C5317A555BFBFA4FEBC364BEBE9E1B79A419754DD84480823BBDFC1BE523E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:08.558{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544513C571557AF97EE639C2F9B9A215,SHA256=A0A8E0E63E453FC945E2908933AE086FB448FF4A811BEAFB2D5685010F6B72C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:08.320{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F6BEE6769D22CCDACD97098F6F99CA,SHA256=30AE08182B4CF7C91D72B45708F414DF46C551C7B7DBB64D2DF6F837C555AA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:09.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C6256906273247B62F793DD7D5EB9A,SHA256=3C5DBD6F88E34800EF8BB03FF6571DCD71EC7BED25748B4DCDA8317E2995459F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:09.451{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEEF6E389B0B7901DC8A2542B70F155,SHA256=A17A7C570DF64CC2789570FB835247A16E44B3A50CA43ED759B218856C44CE98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:09.367{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:09.367{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000051283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:09.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50889-false10.0.1.12-8000- 23542300x800000000000000051282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:10.746{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92068645E0265A6B23BA2D6FD935007F,SHA256=23B6D6813DA3A8365D28628E11B3B83C32D21902A94084F844D4393D46BF5E92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:08.239{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64775-false10.0.1.12-8000- 23542300x8000000000000000274128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.482{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC81A174B6305A260EED9DD5C994DA3F,SHA256=B424AC73F800E5D40C6884EBC5AEC30D80796566BC8E776CDB724607131558F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.319{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.319{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.300{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.299{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.266{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.266{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.250{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:10.250{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:11.839{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BBD482254A54ACBC43D17D1BFC932E,SHA256=D9574846564CADA4B1EB86F6C45CB9CDD11A3C04203ED81729D15EAB47DCE23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:11.535{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23216EB903EA6D6720B95BD04663973E,SHA256=0236F9D60C82C2B167D20C66026D81EA4CF46375A43E76957865B8636FACB0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:12.681{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D56AC38D53879CCDC09A0D0D9E5CC8,SHA256=D50C2F3E57C6D75623D783AF5AC4A2AA95B7894BA97820F06AD741238BFB71FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.872{53069400-F114-62DF-3A03-000000007002}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.589{53069400-F114-62DF-3903-000000007002}3652736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:12.371{53069400-F114-62DF-3903-000000007002}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:12.134{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:12.134{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:13.732{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55153B1F4AED04748DEA3137B8F41B0,SHA256=A27F83E4640F78FAFD8D7329096016C115DCE2F2C441C2567DD2F00309031830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:13.732{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:13.732{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00878359B9F3898BDA6030D2C4DC3D8D,SHA256=22A4312C0A8CBFE458C42C7C9AF030CC8146BA76F79840F04E842A590C8AE803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.372{53069400-F115-62DF-3B03-000000007002}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.074{53069400-F114-62DF-3A03-000000007002}960372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:13.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB4029C34918B8B02D579918FFD9CEB,SHA256=7E585CFA3A3EC9D63E4CD6065C2B03F680D4AB5276BE6AAED7890CE7A57C1937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.899{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845E7D20E8EC4BE508EF05FDF51471BB,SHA256=6AED004640ACE43BC28D84BAB2BA771AC7548908B7F8956FB99976CD4659F639,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.714{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.715{53069400-F116-62DF-3D03-000000007002}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.339{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9457C55B18DB904392834644EC55C6E8,SHA256=ED254145535EE877E4F29712DAECBA904F68FE3D7D5E2834AD01BFE0CEBB253A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.214{53069400-F116-62DF-3C03-000000007002}16643512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.363{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.363{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.348{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.348{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.332{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.332{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.042{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.043{53069400-F116-62DF-3C03-000000007002}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.931{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECF0BA68F0133095485D1671093AACB,SHA256=EC97B85FBF1215157FB9C460A05E53BD06B1F5F53A344DFA1E4BEF9F7B66E247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.542{53069400-F117-62DF-3E03-000000007002}40522384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.386{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.387{53069400-F117-62DF-3E03-000000007002}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:15.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9B238A50E9F0935635038321EDC9A6,SHA256=871B554610221A8723569F1F128CD9A21ED43014199A17923CDA2BADF320C8CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.621{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201E0CE47199558C6AD3929862B23CB3,SHA256=944BE2A8F270E4956BA0F00C39193C0EF57B0987E077FC0F0DA8362B95C9FE34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:14.119{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64776-false10.0.1.12-8000- 10341000x8000000000000000274149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.716{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000274148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.631{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.616{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.177{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:16.177{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000051384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:14.293{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50890-false10.0.1.12-8000- 10341000x800000000000000051383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.058{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:16.059{53069400-F118-62DF-3F03-000000007002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:17.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1889904AF7A448B397EBFE45B6FE77,SHA256=3C4D24F9526C3BA0D6F5D9D0698011C778A962203DDF69161DF09B280CA076D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.724{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64779-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000274157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.724{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64779-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000274156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.640{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64778-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.640{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64778-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.626{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64777-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:15.625{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64777-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000274152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.746{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72E5532332F24254BF0D46BB2510A2BE,SHA256=86115384EC7B406A81C41E7FC7A23F84959E992FC359A36FEA2CA3D56638565D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.047{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F536BD0E4A20AF8E40800ED3B42F576,SHA256=9B0750AA4F9B21C0E980AA618AFF6F9FA2A118E3DD563C095F6BBFE2046910B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:17.121{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=217453C5503FB5540196008C3E492C83,SHA256=9BB7D6807674383BFD10B6E09CB8AFFDAFCED2572100B3411274940E7685174C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:18.777{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECBC3D7ECA5ED272FE661285CF54BED,SHA256=1F49D093E96318CF302F5D924B9C7AF2B5CFC3D295308EDD0F9857E17302890B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:18.486{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-097MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:18.430{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:18.096{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80EAE8ABCD0E17F5B82EFD6748DD504,SHA256=4EF83B5869BAB18059C4ABF9152906784D9A52B0A629D7D6E3C91D7D620266B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:19.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEF3770B339098366CB986838AADD88,SHA256=5227A074E96A083F48B82D544F901632A12CD872443F9FAA4BB3441B19B9ECBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.501{F81F30E6-F0F7-62DF-1504-000000006F02}6672C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64780-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.501{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64780-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 22542200x8000000000000000274164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:17.481{F81F30E6-F100-62DF-1604-000000006F02}4600datagroup.ddns.net0::ffff:127.0.0.1;C:\Temp\dcrat.exe 23542300x8000000000000000274163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:19.483{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-098MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:19.198{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C792B7E8CF0C06ED4D26754D37976B,SHA256=2EEE6BC4B576ECB249064F257B1F36162CBE04E0EC32BF34DFF6FA397D67D1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:20.964{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41531CB60C917CA763B426A5BFE48D7,SHA256=761548284BFDADD4E05AFAD62F5718ABE062E3A218B69FFD908AEE952C984E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:20.235{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCA4F621D4620C5D893056C9A44C747,SHA256=7AC8A121114861812D0E09325EB2A797373422C49FDF0927858D5DD32465BA6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:19.138{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64781-false10.0.1.12-8000- 23542300x8000000000000000274168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:21.354{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA636E222CC0D6B582A6F8A4E0655D8C,SHA256=CE20110B66DFAC3D7A149290685BDFB11F461D4FF15D3209D38B2BD1CF4D1613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:22.400{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD194DAEC2E1B959BDA53E7E84578DB0,SHA256=D2B0C58FD635329E86D7B2D2AD696B7E9D215B47759BCBE35ECADF85F74A358F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:20.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50891-false10.0.1.12-8000- 23542300x800000000000000051391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:22.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13C08EF566FD08EC6DFED5BD00187C0,SHA256=2177E474E8AA0A5C92CC63E3B54191B45A5F47094B31BB806ECA664CBDD9BFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:23.452{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A227FE662B0D14C249DAE617337D9D9F,SHA256=6A207A82DE6B76B4F3FD4D50CA27823CAE746813701F3554248FC804339C9FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:23.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA495E32472D200AE73809B46F58D7E,SHA256=463867095287A53477A7F2DE660D5CB9D4F838BB434004A211EEE0F2527E7514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:24.483{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37968E298B3363C4F64AF413B5EEF872,SHA256=A235C987D3596F1DB7C7143305B8F1F474C66F7FB8875ECA07C34828E46EEF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:24.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165A30ECFF98388B0BCF726CA43F977A,SHA256=49921ED3522085088F77D40740F7261EFFDF90B8CE64D0ECE8E9478899F9AE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:25.339{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0A39212EAEE9B88193E0BA37B50439,SHA256=4973F0EADA0E15381E32B96AAC396AA7694DF75BEF00EF43773B918999963454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:25.602{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA6E974695E2229BB2DD07A58872654,SHA256=D719C01EC8D9D3B95F6C110871B32032B7C2AC90174027187515A703FF969D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:26.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FF835CE3FC0F3BEC1F961C40E4B8CD,SHA256=F7C002D212FB5C62D649E0F6EBC0E5CD6FAD26DC9E81560AE334A2641197F688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:26.654{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4BD3132D9B026A1A1C0686CBD8BFFA,SHA256=31E567203606CBCF502E1640FC9167A89B6439E7FC9003F700CE039E05D3B4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:25.124{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64782-false10.0.1.12-8000- 23542300x8000000000000000274175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:27.700{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4CD1F248B1AE7F26BD3722A6EF38D3,SHA256=EBF3D2223F98A1DBBD8C22555158D9C37729A2699C1E7BD813349FE3B6EB4C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:27.527{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C46060BC21675CE1ADCF4DE321439F,SHA256=36A8C43548EA43F075C59222BCDB41E2C88E51B326BB2CECD7F4A046F956E913,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:26.224{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50892-false10.0.1.12-8000- 23542300x8000000000000000274178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:28.817{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219EC5A226C27EC2CC36C5C236E3C435,SHA256=DD89BE733595DE136D42F60CBA9F3B9552E36A5EB486E2EDAEE94F7F926FB51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:28.621{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554183904D0217A56A97B2C4B5B3AEEA,SHA256=F421127DB31414B710012B39D82E9DD7A14418BFA78233038D1F2F5E13110FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:28.585{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBBEAB691ED60AEAD1F3A67399EF776D,SHA256=137BA33D22D8C4078AC3C16086BE0422512A83AEEC1F57A78E795A279A232E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.951{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.935{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:29.867{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BED69CFFF98B6A70514A06B9177358,SHA256=FF69F3965660F45BA08C5617B0DC4BDCDDC25BF84DC682125901E8A3DB299792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:29.714{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFE22ED263E33F315CB1694ABA5ABEC,SHA256=81F0284440104142D5F6D35069418A4CA17EC8C6C2705C7518273AB4882F9857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:30.917{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C4B8875A01A627451254AAB3BD068D,SHA256=661B435F9490DAE084A0FA7B57C46E77F0EBF89586A08879D42B67DE5AF858DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:30.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88AF9CDBABAAAF55E8C61D635493152,SHA256=36F84EC7403952B4E12B7C371EBF592C308C0DB146780EBE0955B0A730B22714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:31.482{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6FF802A02EE51ABDCFD1E6772C1A4120,SHA256=19618F55BBD672A6A6619460BB509A07328F6D64D10BFF9F5458AF9FA3609DB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.882{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.883{F81F30E6-F128-62DF-1804-000000006F02}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.397{F81F30E6-F128-62DF-1704-000000006F02}55243352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.217{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.214{F81F30E6-F128-62DF-1704-000000006F02}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:32.035{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5635E7B67F64E78E003CF48B1554081,SHA256=F70F7C37EC3BFF812DF7063FD420E67127A51D06F3331F71DAB81FD05228765E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:32.011{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B403E4D6EBAC9F8465EE2E2CD85DB21,SHA256=5020558956D00BAA7FA98DA16F02A23D41B2D6EDE616797D8EED595F97875A6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:31.117{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64783-false10.0.1.12-8000- 10341000x8000000000000000274217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.434{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.436{F81F30E6-F129-62DF-1904-000000006F02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.082{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3B313324B09F5DE10D3DEF0C6EFE86,SHA256=ADE3E52194D63947188BECF341C5E34984CE651C17C15BD8C8B44DEB9199E7D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:33.066{F81F30E6-F128-62DF-1804-000000006F02}327364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:33.964{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=29602DBA82A4686B934ED0F97558C698,SHA256=49E739D48596738DC94C9F4E019184B4A5E75D3958CE02532CA878B65EA5913C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:32.162{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50893-false10.0.1.12-8000- 23542300x800000000000000051403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:33.105{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413F489BEC8AEED583B0C8AFBDD53CC1,SHA256=069052C3864274D9EC09746AC9D3B3596044675CA30B89508D14B7B1A05311F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:34.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FB8FC68029B9D1B2EA5A11ED52183D,SHA256=69D407F25E846F01B137591CF3DBA0F04F6D82F5BF5E8B526553E993FA523359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.965{F81F30E6-F12A-62DF-1B04-000000006F02}66966816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.796{F81F30E6-F12A-62DF-1B04-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.680{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7C439B7F00D460AF6614E227899CE8E3,SHA256=F8820E2287801DEEAE1E6D9EC8F6CE515DD6059DB91B7305064D0BB9FE854575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.514{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F22C70808D3E4978872556C3DA1B5971,SHA256=BCF19BE5B0335A8385BE16CF7A91756A650504EB64B41AD1371BE06082D4A6D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.449{F81F30E6-DE12-62DF-7B01-000000006F02}62607320C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F100-62DF-1604-000000006F02}4600C:\Temp\dcrat.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5559f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+6d93|UNKNOWN(00007FF973F14401) 10341000x8000000000000000274236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.334{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.280{F81F30E6-F12A-62DF-1A04-000000006F02}64285284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.118{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D355C9F64A7B02F97B493FC991622BE,SHA256=947855FAE170127A9F8DCA2BACC3DB00AD68589F878DD93A4D1E6FA710C8DF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.116{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.114{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.113{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:34.113{F81F30E6-F12A-62DF-1A04-000000006F02}6428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:35.292{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7238027F29E3E27BF8BAE878745131BA,SHA256=6888F22FC6C34A6DB781D55A5936A4B28A8E6E31EBDBADED0DEDF674594B3653,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.465{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.466{F81F30E6-F12B-62DF-1C04-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:35.213{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACEDE4FA86D879AF2D1418CEE234AF32,SHA256=A9C4C86F59D9DDC81CB73202260FCA0CD395F1FF51C58C0FABE3EA79F7F8B677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:36.386{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E795F02BCAB00200EF1F4E2884361EE,SHA256=4EC5E3D2A24DB978C4FCBEECD40B74BA75FA31C311FF2B1BA1B7A987C67F02C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.279{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1734CE5BE4FAFEC39B901E67C3C0E3B8,SHA256=80AFA30E5F7C3B039F9EAB7538555D83D591C4298ECEEE648CE444158F42EA56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.133{F81F30E6-F12C-62DF-1D04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:37.480{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647670BF649220130105D51A3DBE0978,SHA256=48158C8E753B63AD25B6E8956AA559BC34FF67FDC3FBD9B349D78C557303FC57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.415{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.413{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:37.311{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9CAC946413A548C26F7A2E5C83B536,SHA256=32B66983FC19D0708433298CCDCA696144D3E2E8954BA3ECE09F1855A9460306,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:37.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50894-false10.0.1.12-8000- 23542300x800000000000000051410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:38.574{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD43ECFE253EB29CB66B5B179432D30,SHA256=86F414308DF521FF5DEBCE1A8E21B1390238907C76D4E1EBB67F38F3355DF619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:38.413{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE14AF43B8A5CE0400DA5789627D7C6D,SHA256=502129460AB440594DFD66F00DAF7AB125370B22AD3EEC813BAE428F96B43A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:39.667{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5B350D4B93CE516DA665B738C3FCD8,SHA256=83399F1FD7FF0FD9BF65CC8469B8410341406C1B7394A5C81581B90CF50AC2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:39.546{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8682E81E1C7666338178DED83C7C6E9,SHA256=91F7AA31DE8B0F48ECF74045AFEB6347F60C65B34D43D4CF04D620FF03ED293E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:36.218{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64784-false10.0.1.12-8000- 23542300x800000000000000051413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:40.761{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB51A4E68E8C082D37FC73F894E6D723,SHA256=B7D20439B5B32CCE71C5D531E5F85299D239105E4ACF9CB0C84AD84FFBB5B86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:40.577{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717A0DED0C51095C5BA355695B58614E,SHA256=4D548B62371DAD96170013056F1EBF182D7AEFF9FB25DADD74CDCCB0FEE180EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:41.632{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E82E46CC4762BE0A44DDD18DF58DFA,SHA256=4825FDCFDBCAE4206582346E8DEAB80811231E78D8035F85AFB1CFE65276539B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:41.855{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA1AEE0FDE3D4DFC3133ABB9E5B13A3,SHA256=9707ED12C92D7028028FD63B8C74D402828ED3A201749CD0F36E655850244F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:42.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58A88693BDC40ECF112474E270B6F2F,SHA256=F3B87C3A7F0B730CA23393443E8A062DB19729BE26536CB99470D78AD9E2C144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.678{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD91180393723BC29801175C1AE9B85,SHA256=3A749A14989AC63D54FE6C68B07D05C44D45BCDEDB3190892FEB2B8BE7DCA4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.714{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB0DA195E59B34878E21BC8FA7EBCEB,SHA256=25FE4251FB2D47EEB2103FF397C3C245D1100E44F294D65D9C9B7EC27B210788,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000274294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:50:43.446{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000274293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:50:43.446{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000274292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:50:43.446{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000274291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.430{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.430{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.193{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.745{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5517EC431A5C7B8A4F1081CA2A6A2D,SHA256=1A025A74CD457407E37FC84B51A4A3849101CD97670EE4682F8F26B68847EA90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:42.287{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50895-false10.0.1.12-8000- 23542300x800000000000000051416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:44.042{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4A504F77FA20D8A7113507FB697224,SHA256=A5D814156EA880D4BD0729FF933254E6D8D6730448FAAD45F087BF87910B0059,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.114{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64785-false10.0.1.12-8000- 10341000x8000000000000000274298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.276{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.276{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.276{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.877{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FC85E97CBF0CFC1858E423DF24944E,SHA256=E9FF55FB1D30961E63BEB2CCB29C396ECF13B5B157C1BB28013DBFD6A8D37C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:45.792{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:45.136{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073B8B28EC668B74529AA7C0E87FB954,SHA256=40F04810F0E1AAEC4491F66B94F9AA7D2246C27ADA6F62D8A95C191337B65D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.362{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E57A2557173441D92C1B0A7294C68BA,SHA256=AA7E930CFEBC6A7F97D7FBD274D637741D2B373B1DA7E264C1CD5C6C5E62A3D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.277{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.277{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.115{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.115{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:45.115{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.455{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57413- 354300x8000000000000000274302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.436{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64786-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000274301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:42.436{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64786-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 23542300x8000000000000000274314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:46.910{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407ACF34A6AAED70DDCB4ADDC1701F1E,SHA256=1D75A6F05B0B4E887D4CB4BDF3FAD32881013087DA5BDBA7E090787010B89B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:46.230{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3EE735251250B6933466F7582AF858,SHA256=048D63567297B5326D3221D91ABF5E2B40F3561954B7BE62A829A28DC762FC28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.288{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59005- 354300x8000000000000000274312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.280{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64787-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:43.280{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64787-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000051423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:45.865{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50896-false10.0.1.12-8089- 23542300x800000000000000051422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:47.324{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51CE2847C87427D503D8189021C9D6A,SHA256=CB2CADCC7B6DD175161BF111851E20AA747B14FBFCF8589272959811E15B6D64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.114{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64788-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:44.114{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64788-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000051421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:47.167{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=082049621A22E250424E6AEEDCD4A64D,SHA256=193FD8CC36BBA05BEF7CBF32F782302FEDC10A47CD6871DAE3723EE640009AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:48.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6232780D372D2F5F3EE0655C955DD543,SHA256=F5CBD878940FAF211AE159AF8866C78D25F7773EC789E13D388D796540DE4608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:48.758{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:48.459{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=8ED9947FE6A0428F36A6BC3C4EF03A21,SHA256=EE7FB5E653ADDC009F07B80EA25B8B413BA4F45BCE106033631EF0C72AFCE889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:48.043{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F08D2A4A514BB4AA3B0526DC6CAB3C77,SHA256=339C808B3EF2D227F52545CD1CA56C2379DDCE3B6BEA693DA0DAAC97238C12D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:49.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD040BC2FDEB63B4E4CCFC9AFBF62B3,SHA256=D2513CAA78BBB7F2B362D7D2EF0197D2810BCBEB66B34D7FD30CC320A95D648D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:49.173{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244AAF05A6948868A4E92F3035A907EE,SHA256=25D6039688B2E2F508A31A577AE9979C6148A5408E1AB512F0828FCF72A102A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:48.115{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50897-false10.0.1.12-8000- 23542300x800000000000000051427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:50.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA349E7C5AFD15895880FE7BF34BBAEA,SHA256=A3AC0ECF57721CEA2B7B233AB6E51C9678E8BE8E88DDD9557BB20CDC2462EF56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:47.747{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64790-false10.0.1.12-8089- 354300x8000000000000000274322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:47.233{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64789-false10.0.1.12-8000- 23542300x8000000000000000274321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:50.205{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C080907171B18EC1EDFB24A2E6A664,SHA256=4D7C12337F16C721982F95FA9CB3139627DA51AD9C676DC290C40AA49CB0E2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:51.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6996123B374372010E9707E0FE1EA6A,SHA256=3A332436D0A7C8A79D1B1AECD4617055A5797764671AF8B9E52CE0A42E78B68F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:51.255{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A998A8EEA6641B67D857F2CE224A9C,SHA256=2A864CB6BA2AC4D93D442946B535E8600550339857A72A627FBB47C5C961AB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:52.792{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617D5FB57B3F2DD8A2EAB9E02B4E63A7,SHA256=ED48F9CB72A59A0D5E5CCB1163F5394CD722B7D2C549635DDFAA674F4BBE574D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:52.370{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5642C3F5443E804C74AACBD54F72446F,SHA256=A51137D2AC2809BD456AF886DB187AA68393F09C829953A734487E7C99BB0689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:53.886{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCBAE8738089D590035F9A09716BDA0,SHA256=110C3F0B14812459D6F10F2FA33D74AF20089E8DC5D959D635CED1A8ABA819CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:53.469{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=7343AE3BEA8C2C2930BDE4B3E1FBBC61,SHA256=8379E1FB3C0A54C8FF5378FBF117B3E979E107571F1A2287555F9DD62A55DC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:53.402{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDF006F76071BDF53861A4DC76574E4,SHA256=D29C2E7BAA347CBAD7F9BA84A3FD021F83A17C849793A61CD188FCA3BCBE92BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:54.980{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD7A4AD3E84FCBDCF8D9EF90F0263DD,SHA256=42AD6F6F55CE4D774E22218B21C7F6239D639696350824D69C1199B2767B71EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:54.502{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1EE5CF419083EC02616582E4CCA0EA,SHA256=A7F91EA77F928277B0713B615D580F4E9747AAE9CD9177B93401FAE253B4E1F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:53.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50898-false10.0.1.12-8000- 23542300x8000000000000000274329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:55.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A93070523B6DA04331C414938BE72CF,SHA256=A549F02FE8E1FCC68F6905D302D0D2E168CE0A801CBB9A038FA70010051D924A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:56.725{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648DF919298125AD2CA9B6BDEBED8067,SHA256=6573B5F173110B212B9D7BD94F9BB04105B0EAC75E9411EB3EEC1146526652B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:56.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A015EFF8135215C484AA4D788AE3D0,SHA256=E3E8FBC409EC2B788B2537F57A78127681096E506B7D1299098224ACF4AC313C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:53.058{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64791-false10.0.1.12-8000- 23542300x8000000000000000274332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:57.870{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91E45E90FF0D21D20C1BAD5E303A69C,SHA256=ED1076D9E2AF9C329B472E5CA2DA5F6C8294BC6059B34887806CAE70908CCA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:57.167{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830375D293BBA8DBACB63AF9093D0959,SHA256=3DDAC201440488F8DEFEB4E6FC6ADA4F6F9DC9862BB7C45DE9505398C890D54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:58.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9B4AAFF7B6D5A89FB991B7EE062408,SHA256=A08F469E099AEF43AF7490D97B136979133A5275CD39F226ADB1CA5C9B395CF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:58.318{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50899-false10.0.1.12-8000- 23542300x800000000000000051436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:50:59.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2071DC00FA6F552F33CFD54F4E7F0AA1,SHA256=98BAE7EABC85496DEB0F2A57B2160912107A69320245AD3C894DB3DA38B5A18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:59.002{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAACEDDD04AA8D1531308E7A8501F50F,SHA256=077D4C5F7372940E9762D24A0C73C112156A5107AB8823E95469E4828C31E94F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:00.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEB8C8F68DBD501CD09F2090BE3F4AE,SHA256=7A155B0295B5711ADFC3DF15284EE599D42224FE4FF11441F72D80F139E30D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:00.052{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06DC5A0347DDA09FDFF2981364D646A,SHA256=853676EADE4F9DF2DA2A621EE54C374BAEC120F5CEBE6AAF43955E03FE43AAE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:01.542{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C19BEA81F6070B1C795AFAC83C35EB,SHA256=2D4CBAE4FD25323452C5CBD33670A15870A609C38ED2AFBF0D73741B716C1D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:01.752{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0DF94D542E03A0675E8F491C1066A2E5,SHA256=BD81A72E34AB355CAB6FA1FC750CEBEC92A4512812E551811C883EE8C34AB1DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:50:58.058{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64792-false10.0.1.12-8000- 23542300x8000000000000000274335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:01.084{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31AE9279F8572821CAA01FFCD90A17A,SHA256=62B2A94EF71EB8D43A2B722B9F94B57511D372BDC669C6227D19653F951E0439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:02.636{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66435F3A7514528C8C18D28D5D787CFF,SHA256=E47A7E255E7990A14BBF686C6D7E56BE7C1CED39939538858C2878A8D6B95C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:02.136{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBA9DDA064331A35EC472467816480D,SHA256=CB2D85F631EA91B86105729C677B8864CF4ED6650C75C260F0FEBCB6509DE8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:03.730{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245678FD3B25E54B8A7D4C3707822B73,SHA256=4CC2D39E5DB8BE5AD8A6CD8BD0331C25AE8610C6E836A505B24612CC0393D452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.650{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31FE9BF353E0BCCA94699071701D4348,SHA256=8204C7CB2ADFACE01CDF3E6D1421BFF8DF47E2A5B2803CE2DBA81DC6E24B9FCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.303{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:03.282{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60008EF87D0D1BE946E5E88B2303BF86,SHA256=9AD2C31B97FE92D1D52797F231534441DF441FDAC2373385DC1E6CB067E851F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:04.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD9794707DE11AC6DC0304DE3B1BC61,SHA256=B6B32D5A22BB9F875BEFCBF5D9D983A9DD8BB3CD47A40E5D221CEBE892ED3841,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:01.603{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64793-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:01.603{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64793-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000274349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:04.449{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C559D7E223207EF4A1F4CFDC4A4E31,SHA256=F25EB713F9C5C131B70E7D584822135C17B72C9989F85B77907EA1EFC96A91B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:05.917{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F4D74B5FCDF82258407BD69B7EC171,SHA256=838034BE1D6FA1C20B38E94A679A510247FE594A7BE84F3566075BC9619D5469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:05.843{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-098MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:05.617{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADF541D9E2845C0974486D652905823,SHA256=30E2D3A65ABFCE99BB2877266AA1F68FEABF8C76DDC58339F6C1E0D5F64D70D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:04.224{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50900-false10.0.1.12-8000- 23542300x800000000000000051446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:06.900{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD105A4AF87568CB9D3DB10992843895,SHA256=EE5125140F66FEFB4FC5B000082D8B512F705C3B18D71381C0F49E63982DF21E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:06.855{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:04.085{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64794-false10.0.1.12-8000- 23542300x8000000000000000274353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:06.731{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A96CA52A535AE68C08BDAAF5A95F08,SHA256=14A3D846AC0B3E90EB60FF219886817158CDA792F5075F84A12D27CDD4E1CD64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:07.902{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992AD6D07898B0096DBE0F0EAF9E40C2,SHA256=29083516E9A1F86FA2C3A57DB60E7D787F678F8B2F8D3C94D4BD1543A8350AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:07.877{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4671233462F7348985D2FE500C93E433,SHA256=38FB84ABF8CBA21EA6C2756A47A7AE524A418DFEE89B9A0A9FACE5CE902DD316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:07.415{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:07.415{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=C8C845AF2F2A9F9FBD6DD3F1B1B252F6,SHA256=F677A3B077B3A9444C1CF2FDDCF80CF43A7F603B475F829AD3B3800B69689CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:08.996{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC2BE65643707680F7B1A69A9870A8F,SHA256=2176C18D0B6ED31B2E604F32DFBACD344270575C4477DFD577E56817A2D89B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:08.895{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6812ED1A87D8BC143B00D70CFA2E171,SHA256=5E29524C68A21277B44906D6728E76DDDEA28A45F0A8CA955D28791DFBDED46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:09.945{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2497BC6586CA1F0BEEDD5600F65975AD,SHA256=3C1A5318286E7462F87BDF1D1AC904651EBB5F5280E1DC41A8B9B382EC4D7CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:10.090{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D34843EF9899EDC001A0A2187601D0,SHA256=2BDF466C818BBDFEB4F8B37ADF139DCFACC3BCBCC7167B8EEBE040FE01887A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:11.184{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFEEAF892EE0F0FDBAB9C110EC03AD8,SHA256=A64B8734D88BFEF1A03874240EBC589A6C1E7F70B82A64139DFA0A44CE3C5FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:09.249{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64795-false10.0.1.12-8000- 23542300x8000000000000000274360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:11.075{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3EF4C1B56F762BB44B91BBB70B400C,SHA256=C2011CE689C5D586CBE724A38564E38DE054A3342FFE511CA6819443204A322F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.543{53069400-F150-62DF-4003-000000007002}13961008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F150-62DF-4003-000000007002}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F150-62DF-4003-000000007002}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F150-62DF-4003-000000007002}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.372{53069400-F150-62DF-4003-000000007002}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:12.277{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9E75453439A7D84C9673B42C1BC7B7,SHA256=DF7068B4535CAD4A421C66CE37A5DE306FF33CB1C7710E12FD9EC5FB9256FDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:12.111{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558B33B99F5FB55A9CFC2B003CE34E0E,SHA256=03596B06800BD6DB195E23115EE65D3D0D0E314C21C8C5D0DA6076D66754DA13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:10.225{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50901-false10.0.1.12-8000- 23542300x800000000000000051496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD378133488C9F3E08B63022C6BE2410,SHA256=48B37CB6E9EF9806BE71937EDFA53D256DA1084FCFFF2BEACB7407A5DEA44C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBDB3320C9D05AA44C0B61883E41C223,SHA256=593F44DFAA3D037AB85253B811526A7DEAEF56FEE6E9555AB578E5CBB2B8352A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F151-62DF-4203-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F151-62DF-4203-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.715{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F151-62DF-4203-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.716{53069400-F151-62DF-4203-000000007002}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:13.157{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFED490BF8419532781CBF08C2D5DD9,SHA256=27C0F0AFD165C1ED21647947F027E6E0D8815B407299A1CE1BE4FFFDF0B4A587,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.246{53069400-F151-62DF-4103-000000007002}33683860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F151-62DF-4103-000000007002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F151-62DF-4103-000000007002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.043{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F151-62DF-4103-000000007002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:13.044{53069400-F151-62DF-4103-000000007002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F152-62DF-4403-000000007002}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F152-62DF-4403-000000007002}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.887{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F152-62DF-4403-000000007002}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.888{53069400-F152-62DF-4403-000000007002}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:14.289{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C9F367AD1368F437AB455128F293FB,SHA256=447D8CA6AE6DB1156D8318BE2F0C18743A5D540D7378EDE55632E6F5EF6B7AD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F152-62DF-4303-000000007002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F152-62DF-4303-000000007002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.215{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F152-62DF-4303-000000007002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:14.216{53069400-F152-62DF-4303-000000007002}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:15.340{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C73B4A85747ABFAD0580CE0AB62598,SHA256=40766681311A5567D558E24EE5DA82177A2DE27A2637366C87AA95E9691266F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.559{53069400-F153-62DF-4503-000000007002}15643364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F153-62DF-4503-000000007002}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F153-62DF-4503-000000007002}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.387{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F153-62DF-4503-000000007002}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.388{53069400-F153-62DF-4503-000000007002}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.137{53069400-F152-62DF-4403-000000007002}3156968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:15.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3DD8F84D0B9911C8676A33E9958B0E,SHA256=D5BCDC731923C233E708786788565F5A7DED1A5A297A4C8C4C53D686B7E857F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:16.370{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C038D9D3ABB44568A39E33DA80B1DCF6,SHA256=5908653B36B7EFB12F564D722E20E1598058F6EB0E4BFF30E2D096FE66963BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88B0F58F697E791F33677EBB7AAC567,SHA256=DD9904E5F3A100FA3DDAF364EE73951BB46EF6ADAB03EEE394D1C181F76F9C84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F154-62DF-4603-000000007002}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F154-62DF-4603-000000007002}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F154-62DF-4603-000000007002}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.059{53069400-F154-62DF-4603-000000007002}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000274369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:15.094{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64796-false10.0.1.12-8000- 23542300x8000000000000000274368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:17.422{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24FEDAFE0B422DA03F77FB5D1E56EF6,SHA256=C9DEDBB6C315219C7A1EBD6EC7F857CCF5F084D5D8534FCCCC8C4CB65694B592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:17.387{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B85B8C11627E65A3239502946E176972,SHA256=B17304850986ED31A5F3A77708B8A6F48D61BF45E3205DB4F3813CE65B607462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:17.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF0DA3C1FC7224D5A2999D19C9A8F52,SHA256=AEDF985E8968B0D2F0A6C8C6137060A1E6A4A790C427F3B37CDC93B669443B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:17.269{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=239A83ABB48E7A2C6B77005263F390DD,SHA256=934B8CDEE81FB4A7C8D4FC3651BFF4B6ACD3A47FCA975B5E9CC172B41CA53BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:18.468{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06825ED5ECE2DCCEA4E25C2D5FC0D309,SHA256=4804C429D7126B4042694D9AB34F1359B004E9A8F5FDAFEA08C6CC4EDF070E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:18.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA2F63045FEFB8C2FDC60BC7C7C2496,SHA256=695BF9A9B594BA24EEF6909093B81FEDF7B484889C1F1FBF5EF4408DAADC4EC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:16.256{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50902-false10.0.1.12-8000- 23542300x8000000000000000274371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:19.571{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1B0F182D8A7D5D81DDC660FE2EEEEF,SHA256=BED158320DB62390BF97F935FF10A868B61B0695DC611C04540DA8F38B4B9A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:19.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32D005C873F32A7541CFFA54A01EBD3,SHA256=ECFD02B4F292A6019B86AEB8D37FD11E66F33E2A3828F277A1CF02212826A438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:20.706{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F598CDA01A7D56D0FF614EE92EC5406,SHA256=00C315400FDFD30CF1714554233D8B7CE54FBA22F866174938373059C8F7B180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:20.387{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=274B8457647FBE747DF3A42F19D9CAEF,SHA256=B84CFA67EBA83D2F89E4E84E5CFADFF18D8E8B8D615A5CFE53A3CAD59D74B572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:20.007{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-098MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:21.481{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3DFB0FE33A155E98B1115FC45F8D5B,SHA256=D038A8C3F4E8F15CC28831B3E2361D812882809281890BE2670EB0A74D659BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:21.807{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E53D7F25E467569BE31BF04CC651C2A,SHA256=9B4D4BE0CF95CF20636005EF40546AC4D591A2D9C0A7D1EB60C860817F9E5C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:21.007{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-099MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:22.574{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B1B88DA155AD8342FEF67144E0BFCC,SHA256=2239B685E8CAF91CFD9B27DB156C6D19FFFBC2D3543B05D97B6B4C0359E2F257,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:20.126{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64797-false10.0.1.12-8000- 23542300x8000000000000000274384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.852{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6AB056AEEDCA8B615CFD47C21F92C0,SHA256=07D1EDBF03FC6A24CE6A73075EAD66FFA4566BF814DB181CADBC07F3F6F7480A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:22.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:23.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D273AA9443F976EF2AE397B8D10C89,SHA256=262D57F3B68124C8F045E67E00A8532B23B3C1EFB743B25EB3AAD5192CC20A86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:23.986{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED86B35A101B7ED33E4B366D92EEBE91,SHA256=7C1EDE26F40AA0644397EA2E94B448550F9D74DA9CAE8A5813B26391CE26143A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:21.272{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50903-false10.0.1.12-8000- 23542300x800000000000000051563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:24.762{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A67B98A3CC0ACD4EF4B45EE08C10957,SHA256=49CB28FF53B03840DD1B75DD2014BFAD2E253D7F60C2221F7DDD4949844E0EE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.267{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.267{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.267{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.267{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.252{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.252{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.252{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:24.252{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:25.856{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EC7C018B9DC77DA00A2FFA02687853,SHA256=F957572406A925473844D952CE72C4C780C82E530850F61D92242FEC25D3F5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:25.120{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2D4E95EBBD7798F9785C8D4AC5EBEB,SHA256=DDE94AE65D4BD106577D02DA86AAFB644674F9BCC6EF4B40BE64452483552F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:26.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2E8F2433A0BB0A995CB62BDBE30F71,SHA256=906C5385C670B54425673987DFFE16A4F45FE05F014AB233863DEF52C3FEE69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:26.165{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31378B917A55FE6D9878245A4D17A84,SHA256=03FDD702A8C37C88041314A88DE796046215B04E902809BCD644D1EBE259E8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:27.202{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814DCAF9B331C2DDD434CE99A0F4514A,SHA256=83533CF41F128C5614183DD84474504BA694AAC61E423B15E90AB1D755C17E70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.485{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-F160-62DF-1E04-000000006F02}5892C:\Python310\python.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.347{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F160-62DF-1E04-000000006F02}5892C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.347{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.347{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.347{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.347{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.347{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F160-62DF-1E04-000000006F02}5892C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.347{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F160-62DF-1E04-000000006F02}5892C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.359{F81F30E6-F160-62DF-1E04-000000006F02}5892C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython httpserv.py -p 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000274399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:28.248{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D127546C9C1B1E376A5BB2FB17EEB99,SHA256=B0F2380F08A62A02E6A09E131389572B407CA0BA1E84FEBB3F286A07B8610C0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:27.146{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50904-false10.0.1.12-8000- 23542300x800000000000000051566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:28.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1EF20C5A33EBADAD7381A11EE305A5,SHA256=61F3CCE1E3BDDD039B27C5C40CEB04FAD5EA4AD58C8E0824DF132CB0EF19354D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:25.207{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64798-false10.0.1.12-8000- 10341000x8000000000000000274420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.931{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.931{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.831{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.831{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.831{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.831{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.815{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.815{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.815{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.815{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.400{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5820078AB5958773682062998D10E49,SHA256=BA8C1A69F83F6EF736D2DF44C2D786D926494BD21FB4031DD5D682E856AB6B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:29.383{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6761562F7AD12397216142C44ACC9F40,SHA256=6C54B9F38A68EA0142BD0D12EEFCFAA612369108E78262D87F26A33026679B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:29.137{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BA922A5A5507B7B56BECF43825314D,SHA256=F61A4C5E36C8B14877565766C77912678B6D5677A9CAEC81490E1E61C25A9247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:30.500{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235BDC65600BFDC4BB47901E0C2D6C23,SHA256=56F25986D83D8DCFEB5D61EC295E9D2D301B548D9D8D5456887735EE8A0179E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:30.231{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864BA57BA1B592CC2F1F01635D5D2C31,SHA256=45D14B141636E9E83DF0A6F6322DC9AC6614BD7AF63BDDFC0160750AF6D2D722,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:30.015{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:30.015{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:30.015{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.900{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDF340E282E8B56119CF32D6ECBCFF7,SHA256=762156A88F0AA000C82D9DB02CF6F691493621EEFCA9FD02BA82576ECC86BF23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.614{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.546{F81F30E6-D97C-62DF-1500-000000006F02}12281712C:\Windows\System32\svchost.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.546{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:31.324{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0017C5CE4FC38928B2BD463B102FEC3D,SHA256=3262D3F7E91E5C30E7D578EBB535A95C26F668771F2ADB851EEAD5588F2DE878,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.530{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.514{F81F30E6-DE12-62DF-7B01-000000006F02}62608024C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E8F4BC) 10341000x8000000000000000274451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.483{F81F30E6-DE12-62DF-7B01-000000006F02}62602128C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E37196) 10341000x8000000000000000274450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.482{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.482{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.478{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.478{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.478{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E4383B) 10341000x8000000000000000274445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.478{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.461{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000274443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.461{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E37196) 10341000x8000000000000000274442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.461{F81F30E6-DE12-62DF-7B01-000000006F02}62608024C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E33AC9) 10341000x8000000000000000274441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.461{F81F30E6-DE12-62DF-7B01-000000006F02}62607564C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+104b1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11e6c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2c1d4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+120a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-DE12-62DF-7B01-000000006F02}62607564C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x12367bC:\Windows\SYSTEM32\ntdll.dll+a9414|C:\Windows\System32\KERNELBASE.dll+c7105|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+11fc7|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-DE12-62DF-7B01-000000006F02}62607564C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+2d661|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+342a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+37aa|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-DE12-62DF-7B01-000000006F02}62607564C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+3791|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+1ff2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13db8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-DE12-62DF-7B01-000000006F02}62607564C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x101479C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+55fc0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d66|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-DE12-62DF-7B01-000000006F02}62607564C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+7437c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+5522b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13d31|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+12047|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll+13c65|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.452{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe5.15.2.0-libGLESv2-libGLESv2.dll"C:\Temp\dcrat.exe"C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=E06895CC68C528CCD69780358C4A9DA8,SHA256=A7BC5B997A4051EF86F2BEC3C3E21254AFF16F8CFFF9ECFBBC06F73DA39D5F9D,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000274429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.446{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:31.030{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D54ACEB99517C5B26D2668AAEEA0A756,SHA256=2105FEEDBC80E5E653069E6985476B16762F8FAE702F49CD6B620F71C00B0AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:32.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163A51316957684CE1678D1092D97181,SHA256=2F384C22ADEE3A3DB1858D27BB5B1546D25D64B1BA973FA58429B0EFA1975AE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F164-62DF-2104-000000006F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F164-62DF-2104-000000006F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F164-62DF-2104-000000006F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.901{F81F30E6-F164-62DF-2104-000000006F02}7108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.585{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D15225527A07F58BEBD7335E40AC5F,SHA256=BF11B31E9FB6DF7D6C801334BAD7ACCA50D76EB534FEA16792D2383947FF4926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.401{F81F30E6-F164-62DF-2004-000000006F02}71607552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.217{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F164-62DF-2004-000000006F02}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.217{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.217{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.217{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.217{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.217{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F164-62DF-2004-000000006F02}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.217{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F164-62DF-2004-000000006F02}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:32.218{F81F30E6-F164-62DF-2004-000000006F02}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:33.965{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=908C9EBF4EA53EC511A1F100AF5CF032,SHA256=14A68609D97E6FA7536263518348D8828243BC5DB750F267F3BE4AB709606B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:33.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673F6677B78833BDC38097A7F35825AD,SHA256=9C9443B14131DCEA2A8DD962606F069860594733B6E11AF4A5D5C2306CABC923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.632{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.632{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.632{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.632{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.616{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B185D498D7B06635968CB44B3EBD6916,SHA256=3D7F7C7674BAA565783B88D7F060FF833E6C29E7C9E4251248E77BD09E0524FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.583{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F165-62DF-2204-000000006F02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.581{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.581{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.581{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.581{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.580{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F165-62DF-2204-000000006F02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.580{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F165-62DF-2204-000000006F02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:33.579{F81F30E6-F165-62DF-2204-000000006F02}5136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000274476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:30.267{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64799-false10.0.1.12-8000- 354300x800000000000000051575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:33.162{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50905-false10.0.1.12-8000- 23542300x800000000000000051574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:34.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7492D4A6C12C463578C24A78A97410EA,SHA256=BFDF2AC13182D08F25109ACFA1DE989156FCCAD7F350B61146C3AC4BC6D3DA3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.963{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F166-62DF-2404-000000006F02}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.963{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.963{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.963{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.963{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.963{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F166-62DF-2404-000000006F02}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.963{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F166-62DF-2404-000000006F02}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.964{F81F30E6-F166-62DF-2404-000000006F02}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.885{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-E923-62DF-FF02-000000006F02}7404C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.703{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5D34C65FF785089D41B5F06AE193979A,SHA256=93DEE7908456D0ADA9114CC9F08D7875CCA394274DB4A11D6D7E33802778F308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.632{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CF1212E409052D444FFE8138485DCE,SHA256=64D68578ABD8A95DD5924B3C844FBDE5424133C73A745813DE9295C6ABBF3499,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.616{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EB43-62DF-4503-000000006F02}5412C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+e47217|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a39c05|C:\Program Files\Mozilla Firefox\xul.dll+183f230|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1d7f4a3|C:\Program Files\Mozilla Firefox\xul.dll+183ce1d|C:\Program Files\Mozilla Firefox\xul.dll+1803207|UNKNOWN(00000034CA761DF4) 10341000x8000000000000000274498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.432{F81F30E6-F166-62DF-2304-000000006F02}48962608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.263{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F166-62DF-2304-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.263{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F166-62DF-2304-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.263{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F166-62DF-2304-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:34.264{F81F30E6-F166-62DF-2304-000000006F02}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:35.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11AF839B5A0B515E7C03D34CAC94F68,SHA256=8216141BB7CB9780A925824B89272856AF0369745A020DADFC52022D7721CE9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.784{F81F30E6-F167-62DF-2504-000000006F02}68007852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.684{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204996FBE0BBD084233DE8E34A18C5D4,SHA256=4D8B9E7E235CC976339819DF8F77D4CAF2EF5A5349B5CEDC7DD4403C515E45CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.631{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F167-62DF-2504-000000006F02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.631{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.631{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.631{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.631{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.631{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F167-62DF-2504-000000006F02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.631{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F167-62DF-2504-000000006F02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.632{F81F30E6-F167-62DF-2504-000000006F02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.400{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A7A002F19D136A5B5EF23436262CA9B,SHA256=57B8AFE56DC010B4A5D460AD5466327A87DB360AD2548BE66B9F9BD75A245F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.131{F81F30E6-F166-62DF-2404-000000006F02}6448924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.729{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F9FAA050B76F6B3E50F755FCED10A6,SHA256=ACBF9E589C2D5632687545096DE350E934DD0FC9D0DD90CF4A4BA21987C87EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:36.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7BE105F11F27D1D76E3614F9495285,SHA256=ED8B739960ADC0E66735F05D089842BA680ED546C428ECEAC4ADC694B0A2398F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:36.246{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:36.246{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:36.246{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.561{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\13713MD5=768F037CBDBB7FBD382B5F21C78B14BB,SHA256=C2BB5F2E362EB485D61C4A35B0D64DF0BA9912FA235371A809CD79C7055E53E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.314{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F168-62DF-2604-000000006F02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.314{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.314{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.314{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.314{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.314{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F168-62DF-2604-000000006F02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.314{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F168-62DF-2604-000000006F02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.315{F81F30E6-F168-62DF-2604-000000006F02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:37.878{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4E6DC956C04EF87C1928D8AA52AD96,SHA256=6D81B23B93979598E35591E6072F4002AF05712CC53956A583FEB588817DAD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:37.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1059E12B9FC20005BA4B18E60F45015E,SHA256=9A37952B43AB41A7F0784022C316D2B9D8664960C534540632AFEE627F3BFD91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.561{F81F30E6-F160-62DF-1E04-000000006F02}5892C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64801-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.561{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64801-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.561{F81F30E6-F160-62DF-1E04-000000006F02}5892C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64800-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.561{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64800-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 23542300x800000000000000051582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:38.981{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C91647588577B7D10C8A2F0D560EAE,SHA256=2C1417D7DAE770E0CEEE6825338D0C2A2D348F6DE4C00F1CD75DAB1AB215F946,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:35.562{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59101- 10341000x8000000000000000274548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.480{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.480{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.480{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.480{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.478{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.478{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.478{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.478{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:36.203{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64802-false10.0.1.12-8000- 23542300x8000000000000000274539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:39.012{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83154FD7FD0914C3D823DFCA2B220D9,SHA256=6D66734A15FA95D9597FF41EAD2667964BB11AA4325779796B1C3A035350C772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:40.158{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D17C52C5C727D365C580044488EB64,SHA256=88E2A5781B32CE14FE9A389BF05CEB6122417F505CCAD82A07700AC9054FF34D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:39.131{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50906-false10.0.1.12-8000- 13241300x800000000000000051584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 13:51:40.090{53069400-D97D-62DF-1400-000000007002}708C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a0f6-0xd4da5333) 23542300x800000000000000051583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:40.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3331C8D10EA18A83948441B452875504,SHA256=4710B007FC3134E1C77CC0418BB5736FCD3E7DD24637EFF465E88B254E84A980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:41.195{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EC198C7130F1142C451DF0EC94970F,SHA256=B102C2982AFEBED23830D7D901DC7E7ACFCB9B7296063092F747598CC94D028D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:40.146{53069400-D97D-62DF-1400-000000007002}708C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x800000000000000051586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:41.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0B829BE74AB34A2E7E176E643C626B,SHA256=9A3C3B909AB32E06E62EFD3E38A89AF39A3C7836DDDDEB34DC4C5075B9253794,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:42.909{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:42.909{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:42.909{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:42.909{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:42.656{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-E923-62DF-FF02-000000006F02}7404C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+e47217|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a39c05|C:\Program Files\Mozilla Firefox\xul.dll+183f230|C:\Program Files\Mozilla Firefox\xul.dll+1c23afe|C:\Program Files\Mozilla Firefox\xul.dll+1ddb46a|UNKNOWN(00000034CA767E14) 23542300x8000000000000000274551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:42.256{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5819C70568A6CBED2D09438E8AEE41,SHA256=7AD5101A924EDA89CCFCEFC65BDC009C42187130DCD319CFF91985C6F5E45831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:42.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06BB818B5DB2BBB2E5F0F37A6C7E2BB,SHA256=CCCC1828E87C5B8E57FE54F7773F0BFE149E1F538FB7BF3F4311B4370D1D54A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:43.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DBE425566DBBE1340F39703C15FE10,SHA256=475F4312450BF127519E2EF410782F60B554C52AFBB29F112E7DC0FF1724FA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:43.293{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C7D77E0BA8CCDA0168D8DA8A4B476A,SHA256=00E5BB14F8559D6058CD795C04681379720068DFE056B90520458B83CDC1D9B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:43.009{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EB43-62DF-4503-000000006F02}5412C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:44.450{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE901D898163CAB699ED103325F08B56,SHA256=D7C72A80540CA97F806A6A96903E8C51411719F8211BD3B278AE5DA3B197EA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:44.323{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47091C1EB62EF56B4E71699B2302BC7A,SHA256=E0677C4DE5F2DE45CA2DFEFF8AD2E83E028A0C121806917793A81AE0F0606B81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:41.230{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64803-false10.0.1.12-8000- 354300x800000000000000051593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:44.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50907-false10.0.1.12-8000- 23542300x800000000000000051592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:45.809{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:45.544{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A845FB363F6BC295AA6FC2DF5B89C4B,SHA256=A8E919104DFC4958A07A16C0524F893414A17C8EF26E40E8A6C6E0722FA3E278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.775{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:45.371{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2823DCA4C0AA233CE2CE11C8354A1B98,SHA256=6D5E85BF05D673E5C813123000D20CA4B8076F570DB6293C7E9C0A4910A38422,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:45.865{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50908-false10.0.1.12-8089- 23542300x800000000000000051594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:46.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47BDFDDC66677A593D9832B938DB762,SHA256=B8A5C7256BB7C025DC7413EF09A08BE709764C5C5B54A3F355626148F3B5EA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:46.405{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3D23722EC48629B88C619C47E65F5E,SHA256=47E035AE365F197F7AD03B653480510B627E3D3C8B971200CE0D52539582C7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:47.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6AC0F61EAB0FFB696C3DC12D861DAD,SHA256=6598A25686E1A1F7BB574D82214E4486EB9D5D0E8395F51AE8D7AA8555A93D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:47.451{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BE6B819E709B4EF5CDF0D79B839083,SHA256=C99346186F980F7CF2636A774C37CB97D6D94B4081127B09E74E5038EB509917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:47.559{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BD1DE07F0584F73C899FB96763F2B29C,SHA256=1ECDF0F0D42DBD257400FC2CAB8F88110552FD39894B36A3C0A316633FF62E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:48.825{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C979C1E400D3B81F09921B2BD5D1B929,SHA256=3522E14BA5429442F01898769224C217070714F8788ACBF17CA0947F78B2A936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:48.788{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:48.489{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF85D43CDA711E6CC1264AA9EC9E747B,SHA256=D812B384935AC25A327D50638AB1DD7C65D01A282438A869713D76A418C7403E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:49.919{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1489654F04EB8288604A08F7EF7F6B0,SHA256=BF7A2C4022FDCAF5E4B36E537F19DD55BE9F4EAC9F37E8D511FA52270850CD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:49.534{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B908CC108C5042247736EB07ECF53AD,SHA256=332664CDD747FB1A227C949A2E138F72F35FF26DA97EE2B411FB20D09C8C7B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.569{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811614E8002A3F005C0678C14CB4E11A,SHA256=CA7C5FBF36FAFC3DA1668C0615FC8B7332ED59C6FFD0B08802B3A1D23C4C8321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.418{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.418{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000274581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:47.772{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64805-false10.0.1.12-8089- 354300x8000000000000000274580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:47.226{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64804-false10.0.1.12-8000- 10341000x8000000000000000274579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.402{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.402{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.318{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.318{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:50.318{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:51.602{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A203651FAB6E36FF12E82D05E52414A,SHA256=5CC04CE7468D907F756A04E7474F42808D335AE74471DACCC4436332DD967C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:51.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3843A65E32884CE3509A3BBCEE50F7F0,SHA256=AE6C432F031DB3F1E86274568078CA8A136F5DED43F046FE1CB9E492C9988F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:52.733{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090B7A540326EF2240065D7ECBD7114F,SHA256=225F745FCFFBEE63BC75CD986400355F584E207B7BDF19D88A9FDB4AAACA0B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:52.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0111360D04FBEC461BFF3ABCEDAFFF4D,SHA256=3429133D2CC85FC204EF8BFA698241DE4F7231463FA2B112441E58044851F04F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:50.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50909-false10.0.1.12-8000- 23542300x8000000000000000274587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:53.767{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E83461311E14CF6AE711774CE3591CD,SHA256=688F42430B78C4B9CB9B09A7103505AEDE9A780161E5DF9A7E128DB72AC6F6C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:53.200{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17A045003A3668E8DF087DF68FFB6F2,SHA256=DEE635BC7E771F12EFDFFC82CDCAE3396C8737CC59EA22C500F60FEC5BD17D54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:54.802{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7880F1219D3F16E28BEAA166F4315DF,SHA256=93BBE35F8457F7010CCDB094467E51910E3D8FDDEC58AA3C34D073DACD2327B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:54.294{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38ACEBC4086D33549E6EA155EE0F14E,SHA256=CDAE4B4708877422D8AA6D0EAAEBB7879397E5ACB073EB1D87D8035FA0E330BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:55.948{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A920828058F3431D5286A20664AF1AE0,SHA256=E0A852AC47B0F1C1505E497DF47434F964C29950A8B4AA35D41F5372B2567890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:55.387{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C583D9CECD716A220FD371CE2006D46,SHA256=F30F0FF3E300A57609A58E6FEE31F1F409984A6F9DF465E3B75298DE77EAB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:53.071{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64806-false10.0.1.12-8000- 23542300x800000000000000051606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:56.481{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60C3DCF48FC00431C7B5FFDD5D14B0C,SHA256=81BA42533499A0D2283AE439F7B4F4FC66BD69A0770B49C97D453D7257876EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.385{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000274629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.385{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.385{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5dcffd.TMPMD5=07A8EEA392A63B45D05AB07AEB53AD56,SHA256=96E0E3067BEB1889266221D44DC4BAF875CDC9DF47F2E353EE64800B14CE381D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.368{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=DBB303FD4581F4E8F25216E39B25E65D,SHA256=E3F315A9CBB278DFB0298AFA42B4E2871F2867D767BF957A71973E09F45D33F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:56.201{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:57.575{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A202D6AA2EE1BF0699A7B7CAFBD6E9BA,SHA256=9EA4535E1C95924D7043C22B47BA1EEF5539B3BF5B3C2184CCEA657A94ED9901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:57.384{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856B303DF63C01CA8C8A37F97781690B,SHA256=A82CFA014D3BCB88005A3F1D57DDF5B1E267CF989B36EDAD2BEAD35CB64D9DAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:57.315{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:57.315{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:57.315{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:58.669{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8660717382F565AA3D09C244CE2EBC89,SHA256=F4C783B840B63D4F0C7FC6FE28AA38B366320B2EF7AF5B7B4B1CF70EA42180BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:58.364{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468842DD132FC18C7823B5C0EEE93DAC,SHA256=F7C80E8321C5499F3806B56C158D10BC66F4330996442AAC891EB1C80FF348CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:56.163{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50910-false10.0.1.12-8000- 23542300x800000000000000051610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:51:59.762{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A27F7E1994C91DB11B27C5C0831B90B,SHA256=F3FFD82EDCC5F8F08B4BD061B10E360916398A4FBFC9986CD715039DB8663E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:59.413{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF042820129DFC848B02EB064D81182A,SHA256=50BF16ED81CA78F06B4D11A8E3A7E114B257B11AAD511408BF7A94468B3F72A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:00.856{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A5CDC46B9F18FAF3F30F49A1B4069C,SHA256=778C953DAD526C65AD0C8BEC5ADD594022C2B31429AE08E556ED2DC9D931D0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:00.444{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD73619C1F40107D94238520299A25E,SHA256=279C15D3AA6512FD4871474ED76A079A4A6894948F1E758F869C3914F0AD8515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:01.950{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE80186569183FE4DDF142BB3D5B413,SHA256=B2D1490F5DA3A3F99A5010E787D82A67420EA291964BA2E507725F8FDF67E0C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:51:58.150{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64807-false10.0.1.12-8000- 23542300x8000000000000000274639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:01.496{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3338E251B3CFDC72B78DC312874F5675,SHA256=FD756F536AA7AF3F0AF4BB9583AD05E733DEC08F20FF66593F4E342F8F4214BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:01.312{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0D3F97E9FE828DF421BCD356956EC738,SHA256=D1A1C7E02973EE58AAD7A083F8AD201AA667664CCFC171B9BEB61EEEB04D4B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:02.660{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD17F7D14968A7F267762044E4E79FB5,SHA256=011534B2D7AD1E8DA39FE800FB0FA00B54254A82906B42B3996B09144047FCE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:01.162{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50911-false10.0.1.12-8000- 23542300x8000000000000000274644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:03.810{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63AEF520D465CB351D097E03E670C186,SHA256=A4EABF3CAB9C9C89166BFC4FFA5863B989D229D85A7DD788E5D49065659B80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:03.044{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BD0303F685546748F49006078430BD,SHA256=3E6511FEFFFD457B7140C253EA58D62425D74ACBA4E829E1CC534D28F2ACFC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:03.660{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=821003E9789DEF3CF0B1DEC1A26F1396,SHA256=C208BBF3713AF812C59B533066687743CECB1B1E44C9A3C864F47F0ABED79CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:03.160{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=57D6F5239FA46A8CC08E63B4EC48FC6D,SHA256=1D6C5F0433789ED868D6A26B0A3C57C6BA85806FBAF0E72BAE763CAB84BEF1F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:04.826{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F858228039FCCBE648CF8CD7DE162F,SHA256=260C7EBCD21ADF682DFDA93D95BF344ECF35854ED159F0E5378B8D9540A507C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:04.137{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D17F17E18F6D3DC2273B775F6ABFD06,SHA256=F12D08E3ABCC1B0A30B0FCC6CC2F0885CBDEEA9AFB9623CF5C532C0C886B2564,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:01.616{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64808-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:01.616{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64808-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000274649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:05.858{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ECC2ED42DF9F400885996BED1ECD0F,SHA256=55741D754158A2C84B51545967B8A175E740F70D37D9BB8FF08B8A3B424C9094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:05.231{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027A6278C476E6596483BD1FBB9DA61C,SHA256=38F01190E8B5F59EE148F933AF1CF630DBC44B14890EDE129849E4811D292F84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:03.215{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64809-false10.0.1.12-8000- 23542300x8000000000000000274650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:06.997{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5113B3AFD136CF23A7ED8B83AA0DE51A,SHA256=4D4E7464717FB111B193A76B643D0CE47C61B3DFB4ED85E7BD51FF59D13FC2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:06.325{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5BE74CD20E476B8DA6A2AA880ADE41,SHA256=894B75EF240D752BC98F96141C10AD5984C68B35062177383B7505D4A2EEC96F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:06.240{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50912-false10.0.1.12-8000- 23542300x800000000000000051619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:07.413{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E207D25BC9768821411E3A27B0E32751,SHA256=57686830C131E5B798A817B14D594D47DC1AF684897735996CD887CFB05D2AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:07.377{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-099MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:08.385{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D2AF3786547A6A19EDFC2A4E21FF75,SHA256=D1C94D7A508A4F8BB2F1D8C76A5D563FD91051147C9576E2328AC0E50CEB86EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:08.143{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AC011299B7C8622D95802B827D88FD,SHA256=C61F599EBEEC315B24EAD5289E84C6FC3F5816068A6260FE92B650DE92AA0227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:08.377{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:09.485{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5B0F6D1B3A92EAEF8665ED4F9C450A,SHA256=18555D937C056AFA9BA7C988860C26E6425AED6BA7A90ED49DDFD0BD19497BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:09.260{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B89CE6F4BEF9FD91BF894DA9FD6D01,SHA256=F4FAAB86FC81F6683C24994461983AE77745FCBD59AF3FB02D69E9ECA87C145F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:10.579{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747C86BD23EFADCBB52CC2697F516764,SHA256=F8BEA24DE8C42E1EAE3D697EBCDC71F80D875859929949C180A6F969A25B0C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:10.295{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DAA6BCB187DF61868EF86DC2BAD1EC,SHA256=39C000A4415F648C417F4256D9D98B0AE85D64D744C5EA11114E15734F134D17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:11.672{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DBF5CCFCCDFE57DECFFF362670980E,SHA256=216A5C643E50E6B7B217CD0DD1E692BC418E1C76E29192B3E47B71EA111A675A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:09.064{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64810-false10.0.1.12-8000- 23542300x8000000000000000274654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:11.441{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6880A92555DE8B415257B13C2908DC57,SHA256=F978DF715568E6776B008795B296B3717BE18C48DEDA342EAF13833696AE4062,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F18C-62DF-4803-000000007002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F18C-62DF-4803-000000007002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.876{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F18C-62DF-4803-000000007002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.877{53069400-F18C-62DF-4803-000000007002}1228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.766{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B53B53BF56DBCA219519B79085125E,SHA256=A63F366C7A8FE0C4D489B506FC13FD13FF9A707428CE276D3E5BB93B8D45E763,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:11.248{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50913-false10.0.1.12-8000- 23542300x8000000000000000274656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:12.460{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4B0FD9AA69212FB0F4AD91FA5C62CA,SHA256=C65E55F67B9B85DBFFC9C88084D82F3F7569A329045A5195E4709C79A1C231D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.594{53069400-F18C-62DF-4703-000000007002}15203324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F18C-62DF-4703-000000007002}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F18C-62DF-4703-000000007002}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F18C-62DF-4703-000000007002}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:12.376{53069400-F18C-62DF-4703-000000007002}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:13.493{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9B4D0628A82C95E240E248D5012ED0,SHA256=1BACBBF4670C956BD12855395215B58793B0714D9EE71E12F9EC693DC92B5E62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F18D-62DF-4903-000000007002}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F18D-62DF-4903-000000007002}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.547{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F18D-62DF-4903-000000007002}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.548{53069400-F18D-62DF-4903-000000007002}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.516{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2577F284F689791D795B0B38A3ACDA9A,SHA256=8B6A2709802E1BFA84FCE912D4A99BAF4773577DF9AEEBBF996280E1A85EA6A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:13.047{53069400-F18C-62DF-4803-000000007002}12283644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:14.656{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05393C9AE17513EA21A5D6B85B8AD3EA,SHA256=9B465E2A3D351B1D8E328B864E3F14456788A82965F395E918C365C711ACCCEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F18E-62DF-4B03-000000007002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F18E-62DF-4B03-000000007002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.891{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F18E-62DF-4B03-000000007002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.892{53069400-F18E-62DF-4B03-000000007002}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.376{53069400-F18E-62DF-4A03-000000007002}18443096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F18E-62DF-4A03-000000007002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F18E-62DF-4A03-000000007002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.219{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F18E-62DF-4A03-000000007002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.220{53069400-F18E-62DF-4A03-000000007002}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:14.016{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D923D200D590B646357A94DDDDA0766,SHA256=2D932EF8890D4EDD27D72E45640FCD825F3EE10EAE17F9875A2DE42559659B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:15.756{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F359D2062CC66C8747CC8761DF708807,SHA256=6C508828377DF5346506BC9DD638155120C4F0AB72A693DA74EA302E9CA6DED8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F18F-62DF-4D03-000000007002}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F18F-62DF-4D03-000000007002}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.938{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F18F-62DF-4D03-000000007002}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.939{53069400-F18F-62DF-4D03-000000007002}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F18F-62DF-4C03-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F18F-62DF-4C03-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.438{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F18F-62DF-4C03-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.439{53069400-F18F-62DF-4C03-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.266{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFEE2EC6DC83DF44BFEC8D11EB2A2BD,SHA256=688733EA82B85C7F9793AE3F13034FF09C9CA4BF646445D527B8CBB73ADF5674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:15.047{53069400-F18E-62DF-4B03-000000007002}35042652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:16.438{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3F920E89DF439D92AA45EBF787615B,SHA256=01EA41142C95D6D9CD97EED22D85F9AD354D3463034FC277F2E019A5A078EA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:16.805{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555C31CEB53A30F89E65D9BC4EE9E839,SHA256=2E4739EE954F4BA1D41679C5DC769D5F3FBA7A31FF6DE07C02C4FE067D178A4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:17.797{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D2B53E803513DE36277070E017B3DD8A,SHA256=A3DC6F345F1DCE7F03BBBE0EC0FBFD8D1F35CCC19950C0228CD4D0C15F473174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:17.751{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6E7E3D48AC506B07DF9750E571AF29,SHA256=4C671E057347EFBE41CCA27D6467B9AD07A86481D3A666224A9922EBDEAE7A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:17.852{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407B5509188DF7A1C3A890D79F7627DA,SHA256=15BB08CDEB51CE58FE796A99C6B01855518ECC30008D335298CE4B91801AC0B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:15.096{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64811-false10.0.1.12-8000- 23542300x8000000000000000274664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:18.888{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A35FFAB3676BD66F52B6B428FEAEB7BC,SHA256=E54F17FDB703C70D78B05CAAD6B7F8552FF1852C9E8461BCB3C28966A5E78196,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:17.244{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50914-false10.0.1.12-8000- 23542300x800000000000000051729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:18.860{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899D29C5789856E4E2E4230CF5076174,SHA256=3D59F925F19A8669BB79E7CEEB6FA0CF0DEC8E1052FD379215D5D27DB1A99E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:18.204{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=8B3B7D77058C2A6DCD72563C5832B1FD,SHA256=2BFEF56A71B4F6C906290F8AC23F030B47FCAB0C74E6BB357927441769A94508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:19.954{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023D0A5B5535A6413F47EEC24172872B,SHA256=286F83E9BBBF0FBABDE73B41E8F264B15AECBF9CFEF546B4E1834208F990535A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:19.918{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A75FBCE883B124C906B18BA4C18E732,SHA256=1EC0D7C844C1603B78519E1B41C9CA1F720D195FE75C61D50AEF82C2EAAE0035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:20.950{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1B6A419CFBB8F37CC67E3A2671C7E1,SHA256=EA95152E6D1B82FAF429B11F9A7C73A214B3DA91E9C9A9F00990835F8F57A5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:21.047{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D79A4873283FF15C2E569EAE89EE4C,SHA256=638D97A1E13F14FFCB612D30FF6034BDADE2DF1C6CC17D95471B5DE1142D40E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:21.534{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-099MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:22.141{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821BCA59F6E1840F7AFFD76BDBD016E4,SHA256=6A1C3CC422F2DF55872C8347A1A39209A2F0CFE05924FB330B84FC63E1C493AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:22.548{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-100MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:22.069{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C2485848848C7542B6FB227AC084A4,SHA256=BE2B88DD83A7F9D7A18F76CA8A8C819F94299FA9BADF5502476DA48C466380EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:23.235{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB56EC28607B1ADDA51F37C6C4FB643,SHA256=F0A051EB14A988DC8082B5A80791D62B518096EE7A92A30FC6962C1D3410BF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.185{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.185{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.185{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.185{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.170{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:23.170{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646FA57A6A5103BFFADC8EA2353577F9,SHA256=C30800680908B2A2C81FA37A28DA98C556D66715820B9404ABE8188519062398,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:20.106{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64812-false10.0.1.12-8000- 23542300x800000000000000051736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:24.329{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861E0B0254FBFE1AA0A54F7C097B6FC7,SHA256=B1E5ACDBEF5DF21B8A92E580221421163A7706C716BA8DA605DC2F47745F608D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:24.203{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008ACF3FF709BF9C89C297C302510DE8,SHA256=F294A43FB7DEED91ADBE3ED4F8D680CA2D3E6347A2E05728906DE8F972145092,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:22.260{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50915-false10.0.1.12-8000- 23542300x800000000000000051737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:25.422{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1ACD9FDAD839BA664FE0D654D11CEC,SHA256=6C7CB4D0DFD5070F20273DC8A05F7AF20147F44883E4DECA737424D47712562B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:25.233{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A22A7A6383B04FC91C1A537887D7F4,SHA256=FD6B50DAB66663E4546502C4878219665DA41C0C4AC52E0634F1488EF31BD4C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:26.516{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF87FF1B2F99E15DD436DB467E4198F4,SHA256=0B5C1CF162920223EE80B64534B5C0238D9DFC5BB37C0E2B0F1873AE90EA55FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:26.770{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:26.770{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=776ABE01BEDCC17F182C3DEEEF44BF9B,SHA256=AE81D1616770CA585EC5E271AC7278C2EB8B3BF08FD41906A8F2C8500DC7B71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:26.632{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:26.632{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=A4A8A2B1C17A45CF849C104F09BA6D49,SHA256=2E28B2F51759A3686F2BED4D1400EDA285E9CA542ACC0E8EE7CA25A512E36686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:26.333{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395E2EC110419FD4D5B0EE77E5A9D277,SHA256=3AF4C84862442243C6DB9C64F0C3829EEA5950C0155FFC59BEA12EBE421AFAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:27.610{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A641D1B37804591F43DD311C6E4835,SHA256=60BEBE1A07C77054BB5D61748009BE41F5D0468E76592D697A999FE9EE7595D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:25.154{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64813-false10.0.1.12-8000- 23542300x8000000000000000274687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:27.369{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BBBC83D0796BEA99B3990ABDB9BD20,SHA256=71B5F76D2EA557889AEF74FAA71D8D3326DF0B4810D2AE6E83C582723DCB0248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:28.704{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3730069F8D4902064A6FE55B04ADA790,SHA256=874104538CBF0A3155EE1A3740449E2CE65219D1B8B946890B36738D862BCF5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.768{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.768{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.768{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.768{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.753{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.753{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.753{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.753{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:28.400{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D223DC814D955CB7578F7DA7EA892F,SHA256=BE9EFA8893A21596A852EDA6D33D357A80127AAA61C5EA6FD22016E33F6CCCEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:29.797{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8216CE8E98056A6E4BDCC18D9087AC53,SHA256=ADDE87C243654DA2CAD9279B487C357CAA6A0A0FC81B897DD03302F1FE8A80DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:29.450{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557A5B5CF03CEE2B054702ECD8D3869E,SHA256=65D29684E472919039F2DD288F5EABD13DB77DD70538B5464DB9C4CE5FE817C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:28.119{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50916-false10.0.1.12-8000- 23542300x800000000000000051743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:30.891{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C9B11E745DD5A939A99F59D8BA4289,SHA256=053EAA85AB2B5DE77F98126D59119E3B1440C0B558B414A60F5F0593EED333DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:30.498{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6B28581196B37D609A54F9A7484065,SHA256=495C9DD09B2AFA62D9E53345C618DA2EC0AC7B89F5A5CEB4672B0B6A033BBC15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:31.985{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6D5D9DDFFDF6B3421253EBC643DDC3B,SHA256=01B2E3D1457F11F839D329F57275FCC0107ECB7AC27F8B75C25CF8C0DC1968AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:31.566{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FC3783E843F0877BCBFAC55C0237146D,SHA256=5EF057DB6B12C01587BA272D9DFF643D54629C8D93091B3D624438F7DDD49F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:31.528{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE620F50AB6D198B5DE4C45940891B1F,SHA256=3B9B93160D357873F729E02AA96372DC667232347D8F3B28703B1E53AB593FE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.895{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1A0-62DF-2904-000000006F02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.895{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.895{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.895{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.895{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.895{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F1A0-62DF-2904-000000006F02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.895{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1A0-62DF-2904-000000006F02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.897{F81F30E6-F1A0-62DF-2904-000000006F02}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.847{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.845{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.845{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.845{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.845{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.844{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.844{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.844{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython h.py 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000274711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.564{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B276A93D10F7D710239DA02594CD357A,SHA256=572B8005B74372AC5D58B9673CCBFC1EF544B7697001A5F1C3C45B3907CA4411,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.428{F81F30E6-F1A0-62DF-2704-000000006F02}18606384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.227{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1A0-62DF-2704-000000006F02}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.227{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F1A0-62DF-2704-000000006F02}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.227{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1A0-62DF-2704-000000006F02}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.228{F81F30E6-F1A0-62DF-2704-000000006F02}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.626{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDC48FE626CE672F7E31B4637DEAFD9,SHA256=0052B0F15CB7E66D882C337142DB58396181C646141535618DBFDFDE948DCD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:33.969{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=879133579E36A1063DBDA39F17F2BF93,SHA256=0E7AD1A01F15FC5674FE7B4B6CC47E0E6E6EF0D963D87CF003DD6B56CFB63B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:33.079{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69961E41A51650A34468312AB6BF7F53,SHA256=11D05BEE0BFE08A3A714E61D48EB2A3587A840F511D0BB3B80E896920CF4C15E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.526{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1A1-62DF-2A04-000000006F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.526{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.526{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.526{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.526{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.526{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F1A1-62DF-2A04-000000006F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.526{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1A1-62DF-2A04-000000006F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.527{F81F30E6-F1A1-62DF-2A04-000000006F02}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.327{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FCC6655BB992CC26FC2DA0DEAD8DB93,SHA256=6BC3580DD114E4F492F2EE68645FA5976627BAA33D20F6D9257D955B1D265F30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:30.203{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64814-false10.0.1.12-8000- 10341000x8000000000000000274729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:33.101{F81F30E6-F1A0-62DF-2904-000000006F02}24243716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.995{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000274761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:32.002{F81F30E6-F1A0-62DF-2804-000000006F02}2552win-dc-ctus-attack-range-5020fe80::513a:aaff:ea8e:f17;::ffff:10.0.1.14;C:\Python310\python.exe 10341000x8000000000000000274760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.996{F81F30E6-D98A-62DF-2B00-000000006F02}26561432C:\Windows\sysmon64.exe{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F97E678C385EF27917A28624F54E7A,SHA256=8155F41696A259DAA78DFA8047B81BC6118B92E7E4C9051D6448CEA99823486F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1A2-62DF-2C04-000000006F02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F1A2-62DF-2C04-000000006F02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.764{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1A2-62DF-2C04-000000006F02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.766{F81F30E6-F1A2-62DF-2C04-000000006F02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.710{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A1D833D5FE3626D503019FA842A442C9,SHA256=8089B9B3D6BD918ACEE38ECCA8F4FA3FEE5892585BA0B36125BFCFAE062927FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:33.307{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50917-false10.0.1.12-8000- 23542300x800000000000000051747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:34.172{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23F0680FD2200F93885EAB891177752,SHA256=E151FA056F5E2E92AB8DE9D91D349176A970EB2BD893D88A2A23BE19F29D5602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.426{F81F30E6-F1A2-62DF-2B04-000000006F02}41767356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1A2-62DF-2B04-000000006F02}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F1A2-62DF-2B04-000000006F02}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1A2-62DF-2B04-000000006F02}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.211{F81F30E6-F1A2-62DF-2B04-000000006F02}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.896{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA1F8C6A053EC39D3628040AAF06212,SHA256=4912B4DF7AA674F68F0C795EDD5B60F265F3411AA04468C31880954A401B2FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:35.266{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6CF0801C1B8742BBF7B69A1D4E54DD,SHA256=28089F6CB15010B2594ACE690257C6B284B8FEC6BA53A615688756FC28BA750A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.696{F81F30E6-F1A3-62DF-2D04-000000006F02}67843268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.596{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\23038MD5=E2177F27E398CBB670C4DBA236720DD2,SHA256=E49A24BA3C521745B042FAA1C9E500981BA4BCCAC0D8FA083A22EE4F6AD3A152,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.443{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1A3-62DF-2D04-000000006F02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.427{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F1A3-62DF-2D04-000000006F02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.427{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1A3-62DF-2D04-000000006F02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.428{F81F30E6-F1A3-62DF-2D04-000000006F02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000274767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.412{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-E923-62DF-FF02-000000006F02}7404C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.380{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-DAB6-62DF-C200-000000006F02}4408C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+1e41d6e|UNKNOWN(00000034CA763342) 10341000x8000000000000000274765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.280{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.280{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.265{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.265{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:36.360{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D53F316B96FCA61B9F60772F4B8749,SHA256=BDB7252B0FEBF8539EF634DF3B798C6BE2694BAFD621306BDFFFB243B7A7E70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.564{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\29427MD5=D7A7F5066911B823471115726E5002B9,SHA256=D9A756D1DA7E668093E28718738D494942C883E384025680FADFD9CF53991A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.460{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64815-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000274788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.442{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local60053- 354300x8000000000000000274787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.442{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59515- 10341000x8000000000000000274786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.095{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1A4-62DF-2E04-000000006F02}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.095{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.095{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.095{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.095{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.095{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F1A4-62DF-2E04-000000006F02}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.095{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1A4-62DF-2E04-000000006F02}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.096{F81F30E6-F1A4-62DF-2E04-000000006F02}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:37.454{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B50C444D87E91014BD42BF0845D2E5,SHA256=551E6960FAF3EDCAA6676A3159B0F1CD843B4E2ACE888A04544B8AB7A29D1FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.567{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64816-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x8000000000000000274793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.555{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57718- 354300x8000000000000000274792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:34.554{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59654- 23542300x8000000000000000274791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:37.026{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEAA5C6CD2533AE1D232A9C7F40312B,SHA256=98A63F553BF62F9C867BAD617688156BC324EB438C350EC802DDED70001F162A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:38.547{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BCFCCEED772499B9E6F9AD5B131C93,SHA256=ED7BFE3E602A6A9F13F7F9942AC2DA6D0F11C3F04D35392406F892F0501B451D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.541{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62097- 354300x8000000000000000274807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.539{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56989- 354300x8000000000000000274806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.539{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59623- 354300x8000000000000000274805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.538{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65110- 354300x8000000000000000274804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.537{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65201- 354300x8000000000000000274803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.536{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58793- 354300x8000000000000000274802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.535{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57108- 354300x8000000000000000274801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.535{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55083- 354300x8000000000000000274800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.939{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58243- 354300x8000000000000000274799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.939{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local54647-false142.250.191.196ord38s31-in-f4.1e100.net443https 354300x8000000000000000274798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.938{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57089- 354300x8000000000000000274797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.936{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54646- 354300x8000000000000000274796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:35.233{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64817-false10.0.1.12-8000- 23542300x8000000000000000274795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:38.043{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332EB866056660E22BA4749FDABEFC9A,SHA256=E2B30B87206D7FCD60C2059ED6F93B07F349FE03198BAD858DABB7826FAE84AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:39.641{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03038BCCD54FCDDCC828C42493DC1B17,SHA256=43CB3C72B9C6180F2253D8E79CDCE8E7F47EBAEC7954D47EE53C9B0B23F25277,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000274821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:37.178{F81F30E6-DAB4-62DF-BF00-000000006F02}2464datagroup.ddns.net0127.0.0.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000274820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.549{F81F30E6-DAB4-62DF-BF00-000000006F02}2464youtube-ui.l.google.com02607:f8b0:4009:808::200e;2607:f8b0:4009:81a::200e;2607:f8b0:4009:81b::200e;2607:f8b0:4009:81c::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000274819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.547{F81F30E6-DAB4-62DF-BF00-000000006F02}2464youtube-ui.l.google.com0172.217.2.46;172.217.4.78;172.217.4.206;142.250.191.110;142.250.191.142;142.250.191.174;142.250.191.206;142.250.191.238;142.251.32.14;142.250.190.14;142.250.190.46;142.250.190.78;142.250.190.110;142.250.190.142;172.217.0.174;172.217.1.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000274818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.547{F81F30E6-DAB4-62DF-BF00-000000006F02}2464www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:172.217.1.110;::ffff:172.217.2.46;::ffff:172.217.4.78;::ffff:172.217.4.206;::ffff:142.250.191.110;::ffff:142.250.191.142;::ffff:142.250.191.174;::ffff:142.250.191.206;::ffff:142.250.191.238;::ffff:142.251.32.14;::ffff:142.250.190.14;::ffff:142.250.190.46;::ffff:142.250.190.78;::ffff:142.250.190.110;::ffff:142.250.190.142;::ffff:172.217.0.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000274817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.544{F81F30E6-DAB4-62DF-BF00-000000006F02}2464e15316.a.akamaiedge.net023.78.13.197;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000274816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.543{F81F30E6-DAB4-62DF-BF00-000000006F02}2464www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 www.amazon.com.edgekey.net;type: 5 e15316.a.akamaiedge.net;::ffff:23.78.13.197;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000274815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:37.173{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57906- 354300x8000000000000000274814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:37.172{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64818-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:37.172{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64818-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.682{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57880- 354300x8000000000000000274811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.543{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local49363- 354300x8000000000000000274810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:36.541{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local65039- 23542300x8000000000000000274809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:39.063{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EE1951428D9A92D7C987A6B7DF14F7,SHA256=1EB5F3B48BD4779956A5C2B7BE3797A82A104C7E267EA732501C3625D20AD2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:40.735{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C20F27C1D7FCC0B9E15E2BA3253E999,SHA256=69928B5D104761982A3757BF28FE9AF642B1F2C7B6331147FED23C4ED3094060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.548{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\23038MD5=BBB546A2B692AD6FC84FC54F2FA81225,SHA256=E2185B6B10C7A374D1A9238F92B17E72A89173E3A03E0D08EF8D2FF9B50A23D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.084{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5C03868C059DE500CFF05EDFFA8AAA,SHA256=ACA79FF4622469315C405954D62199C29FC5BA17DDB600A933E180BEEC3094C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:39.167{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50918-false10.0.1.12-8000- 23542300x800000000000000051756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:41.829{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7C8BD80DC0566C4CD3381DA6A26FD1,SHA256=5F49102EDF4A0898647B6D96C4652E53F99087F4A83C4D8A933660412099545B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:41.743{F81F30E6-D97C-62DF-1100-000000006F02}4401628C:\Windows\system32\svchost.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:41.682{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-DAB6-62DF-C200-000000006F02}4408C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:41.678{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e5ef99|C:\Program Files\Mozilla Firefox\xul.dll+e5f968|C:\Program Files\Mozilla Firefox\xul.dll+e4dc80|C:\Program Files\Mozilla Firefox\xul.dll+42513b6|C:\Program Files\Mozilla Firefox\xul.dll+23d1a18|C:\Program Files\Mozilla Firefox\xul.dll+9ada4b|C:\Program Files\Mozilla Firefox\xul.dll+966621|C:\Program Files\Mozilla Firefox\xul.dll+18661d|C:\Program Files\Mozilla Firefox\xul.dll+9b13d5|C:\Program Files\Mozilla Firefox\xul.dll+9723eb|C:\Program Files\Mozilla Firefox\xul.dll+975551|C:\Program Files\Mozilla Firefox\xul.dll+97421b|C:\Program Files\Mozilla Firefox\xul.dll+973416|C:\Program Files\Mozilla Firefox\xul.dll+97e5ac|C:\Program Files\Mozilla Firefox\xul.dll+8b3d02|C:\Program Files\Mozilla Firefox\xul.dll+8360cf|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+19ff973|C:\Program Files\Mozilla Firefox\xul.dll+1769705|C:\Program Files\Mozilla Firefox\xul.dll+1a278fb 23542300x8000000000000000274824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:41.097{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE699DF15A7124A8D6934A4535D17686,SHA256=A1E0AD0932F1600622EDA8BDC1455F15F91B5B883BF8B0C2A641A9CCA3AF4B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:42.922{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E66F2B086C13DE7EE3DE606E416782D,SHA256=4B2407F95F320CB6676526AE983117373F33D68D5A579B589207F894F569D284,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.678{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58715- 23542300x8000000000000000274880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.855{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9C473E7DBE59CAF5A06FF61C9C4EDE,SHA256=516B6F9D9BAE69AC8D6D629D2EFE49CDF07D76CE6341C26A2BCC247205B28E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.759{F81F30E6-D97C-62DF-1100-000000006F02}4401628C:\Windows\system32\svchost.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.759{F81F30E6-D97C-62DF-1100-000000006F02}4401628C:\Windows\system32\svchost.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.753{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.753{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000274875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-ConnectPipe2022-07-26 13:52:42.742{F81F30E6-DAB4-62DF-BF00-000000006F02}2464\LOCAL\cubeb-pipe-2464-89C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000274874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-CreatePipe2022-07-26 13:52:42.742{F81F30E6-DAB4-62DF-BF00-000000006F02}2464\LOCAL\cubeb-pipe-2464-89C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000274873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.727{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000274872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-ConnectPipe2022-07-26 13:52:42.723{F81F30E6-DAB4-62DF-BF00-000000006F02}2464\gecko.2464.4432.8699368749481752248C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000274871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-CreatePipe2022-07-26 13:52:42.723{F81F30E6-DAB4-62DF-BF00-000000006F02}2464\gecko.2464.4432.8699368749481752248C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000274870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.723{F81F30E6-DAB4-62DF-BF00-000000006F02}24644432C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a203ae|C:\Program Files\Mozilla Firefox\xul.dll+1a1e3d7|C:\Program Files\Mozilla Firefox\xul.dll+127e5|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+12317|C:\Program Files\Mozilla Firefox\xul.dll+9d50c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d138|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000274869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-ConnectPipe2022-07-26 13:52:42.723{F81F30E6-DAB4-62DF-BF00-000000006F02}2464\chrome.2464.93.83031924C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000274868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.719{F81F30E6-DAB4-62DF-BF00-000000006F02}24645968C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+11a15b|C:\Program Files\Mozilla Firefox\xul.dll+12baa41|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d138|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000274867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-ConnectPipe2022-07-26 13:52:42.719{F81F30E6-DAB4-62DF-BF00-000000006F02}2464\gecko-crash-server-pipe.2464C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000274866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.699{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e5ef99|C:\Program Files\Mozilla Firefox\xul.dll+e5005d|C:\Program Files\Mozilla Firefox\xul.dll+e5e062|C:\Program Files\Mozilla Firefox\xul.dll+7d3694|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+19ff973|C:\Program Files\Mozilla Firefox\xul.dll+1769705|C:\Program Files\Mozilla Firefox\xul.dll+1a278fb|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.695{F81F30E6-DAB4-62DF-BF00-000000006F02}24644432C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9ee879|C:\Program Files\Mozilla Firefox\xul.dll+7d3694|C:\Program Files\Mozilla Firefox\xul.dll+1a1e5af|C:\Program Files\Mozilla Firefox\xul.dll+127e5|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+12317|C:\Program Files\Mozilla Firefox\xul.dll+9d50c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d138|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.691{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.691{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.691{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.691{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.691{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.691{F81F30E6-DAB4-62DF-BF00-000000006F02}24645972C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2b872|C:\Program Files\Mozilla Firefox\firefox.exe+5727|C:\Program Files\Mozilla Firefox\xul.dll+1fd72af|C:\Program Files\Mozilla Firefox\xul.dll+9e98a8|C:\Program Files\Mozilla Firefox\xul.dll+9e79a5|C:\Program Files\Mozilla Firefox\xul.dll+9ef74e|C:\Program Files\Mozilla Firefox\xul.dll+84f693|C:\Program Files\Mozilla Firefox\xul.dll+17689cc|C:\Program Files\Mozilla Firefox\xul.dll+17676e5|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+852397|C:\Program Files\Mozilla Firefox\nss3.dll+745bc|C:\Program Files\Mozilla Firefox\nss3.dll+8aeb1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1d138|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.691{F81F30E6-F1AA-62DF-2F04-000000006F02}5208C:\Program Files\Mozilla Firefox\firefox.exe102.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2464.93.830319244\917935533" -childID 90 -isForBrowser -prefsHandle 7828 -prefMapHandle 3188 -prefsLen 36534 -prefMapSize 223644 -jsInitHandle 1084 -jsInitLen 277276 -a11yResourceId 64 -parentBuildID 20220705093820 -appDir "C:\Program Files\Mozilla Firefox\browser" - 2464 "\\.\pipe\gecko-crash-server-pipe.2464" 8324 1e40ff1e748 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962LowMD5=60DA13EC9FBD16FF328E2521E8DD4191,SHA256=B101859A33B07BC3270DC58A5270E9D574F4BDC655E57ED68B7B78E93B1ABF02,IMPHASH=A2EF21DE31B3DAC585954E210475F61A{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000274857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.687{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.683{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.683{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.683{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.683{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.683{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.683{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000274830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-CreatePipe2022-07-26 13:52:42.683{F81F30E6-DAB4-62DF-BF00-000000006F02}2464\chrome.2464.93.83031924C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000274829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.163{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\permissions.sqlite-journalMD5=EECFA3DF671F8AECCFB535A57E11387F,SHA256=8EC4F79C15C08A658464524238929B0E68E16E241712F68E2D85D3CEC848E19C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:42.122{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9229F828188DD1EB4470C07629C5128,SHA256=FCC8F3F20F48BD054BDBADE50645C97B55F3143B9F9CB988E60A13C6D63E0FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:43.748{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=347DC4CC5DD0FC0C7CB59296E3B8D42C,SHA256=98DEE72D50D952A3AFB82BBC3D60560A27D18CAE01D8F5BDD7841874A34D4C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:43.164{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3556FD6A209867D09972C7B675C6D420,SHA256=EA0F783E85205F7B94D062BD7D6EEEC3845C252FC7C605D70652D670AB6412A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.769{F81F30E6-F1A0-62DF-2804-000000006F02}2552C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64819-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.769{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64819-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000274885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.706{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61594- 354300x8000000000000000274884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.705{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61879- 354300x8000000000000000274883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.703{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58873- 354300x8000000000000000274882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:40.696{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local61533- 10341000x8000000000000000274899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.769{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.769{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.769{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.765{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.761{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.761{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.761{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.761{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:44.269{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A633D235BDCCE87AF853B0E89FAD65D2,SHA256=F930B08C516B70540534144097004512A059FCE7F2C4E6199F1C4E15D68533A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:44.016{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811E2E186A191A3E748DA1CA26D463D9,SHA256=5E175EF46E5F7D3F29B14594419CBCC2F0128A0E2A765A70E854296BD91EB31A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:41.055{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64820-false10.0.1.12-8000- 23542300x8000000000000000274900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:45.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BFC839095B5B099C17CC4B6F4DF4D84,SHA256=B84423DAFFE40E637395B7166DF42F43604027594F5AE5D1DD96632A22129C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:45.813{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:45.110{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A54833820521FD3B185F8AD2468542,SHA256=1903661BF6DA877528D6EA33F96071359380B77986D88B2A296E47D45E342ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:46.204{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11697509423953842779F6045307F1C9,SHA256=D24485268B9D7AF0AAD9ECD033B998B1841CF731ED3FB4C85EC3C7302B51E505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:46.670{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\26883MD5=5502770609758EC354714AC9A178542B,SHA256=3F8347D41AAB73CB99CC37BEB3EF5A24A331A80CA5D8C56F41F57FD9CA84424F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:46.303{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47083CB73A1FB608B4062E5BB5BFC061,SHA256=307491ECD74DBCBE49D53E8D2DFA83DE4A73764978C8284A17D35D583CEF4E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:47.297{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1549425A6B0E71D4661EF874F5021425,SHA256=5E2B586E4D26C327AF4966874011B1ECFE50293895316522D8E4CCEBF7748312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:47.322{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AAA65C1DFCD5A960A23C20B6F7A11A,SHA256=03876141F56A7FAE8EF9583E1A8D3A87C383E397A6196F6F7D1840EF584D9C83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:45.885{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50920-false10.0.1.12-8089- 354300x800000000000000051763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:45.182{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50919-false10.0.1.12-8000- 23542300x800000000000000051762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:47.032{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=829C718634D9056B165DA208F2D55149,SHA256=79CD704847471206DF7CFE3C480EBCF06BD6D25CE4F1D1A3BFFFB0680013C1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:48.391{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101C6D6A382E745911BE08D533B55E8E,SHA256=E172E4E06E0D49C78388FB550CA0A86640072A8576B7F2D5001BEC44E43FA9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:48.805{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:48.336{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5287FA3E7549EAFBE63277781D4A53,SHA256=F8735DF2996AD004DFB9C8FF1C1D7C371145515E438DD27036A5B1F3AC6E4104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:49.485{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A69055A0AF31F6F7453C0223663187,SHA256=0906C209E4FC4960A996B5E2C4DDD3E636903094CB00CE654AD2EB7E68C4BF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:49.346{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB05CB9714457E5C62240A318D298B26,SHA256=8AC43CEB0F9B701E468DCB0CE68657DAE951ECD0CFD2D06BB1EAD82708E77A92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:46.163{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64821-false10.0.1.12-8000- 23542300x800000000000000051768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:50.579{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F386839D9D28D817C0B4013D09FB3D4,SHA256=2D3677328803312D5966BE3820990EC2CCAF2C1C263E2ADAC3A954F02CEC9B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:50.553{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=E9ECB6F29003576C2EAB8672C0AD7163,SHA256=5EC1D117A355F5B33C4C6C428B457DD5063D1EC0B20523191D3C5ECB1ED289F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:50.358{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4E1D9881B5EB3A36C4A48A76E83F90,SHA256=26ABFEC2799959F64F5D879F1729437D980141C2DB628FA0F447324E45A5D469,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:47.795{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64822-false10.0.1.12-8089- 23542300x800000000000000051769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:51.672{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D60F7AEF92409202B83B88AD6E93432,SHA256=94DC0875F6FDCCDAB208302651A7E4B17A1B27B6FE6C82202332004B661AF0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:51.366{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648E636C93883F563968E19356BF2F2C,SHA256=E010D8BFBF0867A6151FB26F5247A93685B6BC0BDB9C60D9533B51347E036BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:52.766{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA8648C4861D09C71CBA6D032249E16,SHA256=12A4183159F07E341FE5AAD8D68FA9254DE3896E63AF3B57AFF6545CEF885342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:52.383{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B924E2FA07FBC3F36880FFC57BEAE85,SHA256=CBAB0E7FE362589464C30599241FE716F7497356182E4CD0EA7D598D72398877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:53.860{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC42C7E36B39435483BA796AE3214A17,SHA256=4D3B5FE9592BBBEF7F5EF4ED217719E3E8C5BE6A9DC1411107E296DD7B9D99FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:53.392{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00ACAE538A66F6C5EE929D2BF79226F4,SHA256=FB7C29617D70E840DE8D37A7C59177925F812FE5184EBAAEF5C4941A2BD0F083,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:51.182{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50921-false10.0.1.12-8000- 23542300x800000000000000051773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:54.954{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC55A90BD8FBA4BE99494E7E667AD37,SHA256=2766EBA184A6ED2A462A69698CE87D50EA09F29E01C9DFAFDFA6FA1039838B6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.774{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.773{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.770{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.770{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.765{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.765{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.765{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.765{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:54.518{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895C9E73045B954B9A2F91D09C1406FF,SHA256=26F03C3495B83CAE4001AEFC3B1D2035308044FCE5A9B901C0B46BD823FEA6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:55.535{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1652F1E5DE065700AEE731324D4E3FA8,SHA256=26D7484DF147AC25045F6E58C64933F7868E7814F917B739EDE9108CF4E0E5DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:52.102{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64823-false10.0.1.12-8000- 23542300x8000000000000000274925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:56.552{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2512AD5F5E07FAACC7EC53FB3850BC,SHA256=8D780E256D61F785BCCBFB5680C61FD0428644D09400DDD18586AFA3413C8F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:56.047{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C374FD82082FC71D378BF194625A0CC,SHA256=093B6EB7B8B06F15086920B4400265B9F18997E0C586A9B381F4D26B5E92D9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:57.563{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C09D4B49C89C5189ADFD99191A3EB8,SHA256=B87FFC247EC3A614FFE5E9C3B63BD83637BF8E71CA54FEECF0D8AAB1C6079A73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:56.275{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50922-false10.0.1.12-8000- 23542300x800000000000000051775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:57.141{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD0BA7C870604FDD552D71794827BE7,SHA256=DDC22497C1A6076E59EF78E756BDCE34823CD390DBB7308BCB620DC6DE2D4AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:58.568{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFF69007C395650B8FE16A9A6516F42,SHA256=7C1A29D47C8A79FAFD8156AB57C082C944A1879EAB45D8DED6E5975FCE68D45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:58.251{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5C828F151A7F08630348E0988F853D,SHA256=62F084F3325342192981C1ABF0801D6BB487750A5F6DF85B4910F86E4EB6432D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:59.576{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6DE0778FB7255CC696AE833AFE1217,SHA256=4E36D8C90056AF6081490712F198CA08617F4C2407C32435F3A84F9C7413DE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:52:59.344{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E832E7DE16F62D0FB5F446B324D89D3,SHA256=3978A69CC2145D59A51AE988DF0F902774E7D29EE900BACD69F047A432B3EB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:00.789{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=9FB2D10541EE7B3CC0B00D8769CDD408,SHA256=04EEA1E50C614CE3F30425633EF8212C98179A974BDC4B2A97D539328CC202E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:00.685{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBDCE13049513A010EC94B7F13C1523,SHA256=D5D4B9DDDBFAED83DF54D9B777E6803B82B4B1B49A29318742180962C5CE97A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:00.438{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F28F2D044C47B434AA677327819F8E,SHA256=54DBAACFE81B56302242FCF8053B222DA0FB67126CC62255533080F121A805A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:52:57.221{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64824-false10.0.1.12-8000- 23542300x8000000000000000274933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:01.694{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E7512993D75260715F142481D3EB1C,SHA256=D1CEB428D25EDDA8F6E2E663B288A37230D386E0BB444979B197A1999B2814C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:01.532{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC61E543A12186A45AA034B7D9DC689,SHA256=543B434BF9573C3F49EA94C309F22DA2F92E44893693CFF831595B1ABBD77E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:01.598{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=74D5FE6DC2CCC27258EDDD6BC0BC281E,SHA256=3A899636E2DE68F67071329CF9970948B36D357668623249CB4B7A9AF8B3592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:02.626{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0C122592E9257DEDAD03F4D860AA8D,SHA256=6FC83DFACEEDA7B6E454ACDFF82E9FE3D6DBD5143E1A81E67B3207B97069F629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:02.707{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A745F7FC5A3495F6143B3FB173A215B0,SHA256=48C8BBB92A3A3DE4CC631BADC40F43C6A39761D21C585748EDB5BB44C205BF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:03.719{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019E7BE04E7CF4EA7CCAF7145717BEE7,SHA256=0D1A6A2291054AB62C29B40630B6F21D384E270C6134073C805F426F4BCB58FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:03.720{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F33ED328B2FEA5393C4866993C6BA94,SHA256=EFC948A51D4DE406F5A0ED1AD0BA5AE2329CDB1DD94669F308E8F2290790BDC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:02.197{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50923-false10.0.1.12-8000- 23542300x8000000000000000274935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:03.644{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C39B794534B21BDEB32FB1C861534D7E,SHA256=E4E588DDB8ABC1AB107D222B64AAB6F5C1249D5944FCB995C3CDFB13EEE5CDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:04.813{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643249B094CA68F946D0C0835EFAC83D,SHA256=3BDBE89CEC6049CCAB2E82060E41C61A7C43E84755BCF06A2739A6846E8C844F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:04.730{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9FBE13EDA0D50D84D6F9DA788F104D,SHA256=B8DE57639CCE182000B1C007E7E5481423C2F2CF8BDA7CB033FF75727E51D1E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:01.618{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64825-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000274937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:01.618{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64825-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000051785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:05.907{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F72EB581BB3C224C7F1FF14522A5EC,SHA256=AEAA9FF6A080436F252443872132F4F5C8383188CC6EA96F870C2E8959BAD559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:05.747{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50579992274AED5EE4BC83EE36BC4EDE,SHA256=6F5FFF84B39B8BB1F05C807512F87CC07D3607B82DFBB570F9C3AD08AE5F54B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:06.765{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F244BD93811CB39114835A67ECBE0384,SHA256=D689B7D2AB075CDF4BE8C67503D28C95B778C80E8EA9570F6C6EBE9BF1A4C306,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:03.148{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64826-false10.0.1.12-8000- 23542300x8000000000000000274943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:07.779{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576092C7C53607A83DDEDEAFD3740BB5,SHA256=4DDE40D1BD423F3F175B6F37EC3D4C6349DEC3853E6C8C4C62990D5C62D04965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:07.001{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E849A288B43C0F8366C2E4F5AE585B55,SHA256=ED19A9C44732DA6EF325AE8454F8099C84E70B236DC27976A45523724FEB5BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:08.872{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9227E22CA46D9B0530ACF2B5B0F4E12,SHA256=CD3783A9A8A0377B88336423947EF8919848CD6D02B9EF4DA981D3F7BBCCDAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:08.894{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-100MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:07.197{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50924-false10.0.1.12-8000- 23542300x800000000000000051787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:08.094{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228067BB8A6ABA6025AFC709FE620AB5,SHA256=07CDAEA1151C0D3EFE2E5DC09636A44C3993E0BE9E7D9693BFF6EE8746708B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:09.908{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EEDAFD5F5379F8B82F650C1F2D3A48,SHA256=F7431D291B1514734DFE0472706375C7A5D91D77A342F4F64CDDF13EE609406E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:09.908{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:09.189{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319742361A7EF87510AB1228362927C5,SHA256=ECDA1764F40BB1DC76BD31EBD49FC9F62D5A0809C98DF46E3742BDBE320870A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:10.939{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C519043137392734101DF2EF469229A,SHA256=C06A8F342CD70F1AF07F63E93651F859E1D6792F7B38A1EE2000318A88E0180C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:10.281{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96433EA929E0C9B16CC3B8FC30FF8CED,SHA256=1753AC350E720A54F5DEC43300AE22F32110E4BF8B2B50AA1C5D48551BA2987A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:08.178{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64827-false10.0.1.12-8000- 23542300x800000000000000051793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:11.377{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1AF66C2C7E4A98F8FBB89D4B070F6D,SHA256=D63FFF62637BC3F3AA4519C94F0BF1B981DC77A6F2D11A5E58306D3664D44422,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.580{53069400-F1C8-62DF-4E03-000000007002}15882860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.471{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6025F0C8BC7365DA828E5ED7FD85BBB2,SHA256=A6D760F9FC313A9AFDF627FF0B35BFE453248B6A675783E27ED3C56222C95B2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.138{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:12.069{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16FD9F9DE12A6B73C5904A20271B90B,SHA256=5A2981BBEFF2394452480A1BA6BDE086A3311077A204DBC462AEDBE9DD2F3A64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F1C8-62DF-4E03-000000007002}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F1C8-62DF-4E03-000000007002}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.377{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F1C8-62DF-4E03-000000007002}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.378{53069400-F1C8-62DF-4E03-000000007002}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F1C9-62DF-5003-000000007002}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F1C9-62DF-5003-000000007002}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.721{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F1C9-62DF-5003-000000007002}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.722{53069400-F1C9-62DF-5003-000000007002}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000051824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:12.292{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50925-false10.0.1.12-8000- 23542300x800000000000000051823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.565{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA531BC3B1E5D0E06CFE3231C7587DF5,SHA256=A18CF351B62CEB10591B03B39658998146FAD880DBFC6B4C8AEA70D9D15713F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.486{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=220AB372664F9459AD1A422C216DC304,SHA256=08B5CA27B0646F3FB3213D3F71AD110AE1D9D6797ACD2E2B27D9FCBDEB0EFCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:13.122{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4837340BDC050E5DB9F490555B00322C,SHA256=AB32D76D6FE4D3CA76F9563EFB56AB229213DEF6EC89A93D9B524CBB7CA2C9B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F1C9-62DF-4F03-000000007002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F1C9-62DF-4F03-000000007002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.049{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F1C9-62DF-4F03-000000007002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:13.050{53069400-F1C9-62DF-4F03-000000007002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.940{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786507C1DBCC54E6886A02B087AA7E4D,SHA256=87863731753E828766A238E77474BB0C6E7F939C63ADCF83046B18ED11058CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F1CA-62DF-5203-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F1CA-62DF-5203-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F1CA-62DF-5203-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.893{53069400-F1CA-62DF-5203-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000274958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:14.253{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA0F93550CB26DB0DE59D4AE745DF58,SHA256=C6615AAF19844CDC1DC85F48569C38D5772B25448FFFB1CDD95DAE0566A65F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.377{53069400-F1CA-62DF-5103-000000007002}11881084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F1CA-62DF-5103-000000007002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F1CA-62DF-5103-000000007002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.221{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F1CA-62DF-5103-000000007002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:14.222{53069400-F1CA-62DF-5103-000000007002}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000274960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:13.194{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64828-false10.0.1.12-8000- 23542300x8000000000000000274959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:15.304{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B102A77E85299640BF730B32414DCCFB,SHA256=D853B85494D5F14C82DF11A9500AC5010861D449899EDF6D698C1A590BB37CC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.752{53069400-F1CB-62DF-5303-000000007002}18802340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F1CB-62DF-5303-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F1CB-62DF-5303-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F1CB-62DF-5303-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.565{53069400-F1CB-62DF-5303-000000007002}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000051866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:15.104{53069400-F1CA-62DF-5203-000000007002}36643500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000274961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:16.350{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAE1A5CF5E39E3457280D55FBE2137A,SHA256=7636B6F4743B2B3D329961DBE787A2C2973946ADF9258F5DDCF2EC1C490BABEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F1CC-62DF-5403-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F1CC-62DF-5403-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F1CC-62DF-5403-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.082{53069400-F1CC-62DF-5403-000000007002}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:16.080{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40E6960A561F14C29FDD6836EA89D5F,SHA256=423A79536B62B40A087AF7043A506C5C41F28A05FA673396C87195C37BA96E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:17.382{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D72AB53696879D0DDB07AF087C15D22,SHA256=60D20E2FA1BBEAA2148A16912D0D3E51C2F4706ACC496177CE8D4B3125A63F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:17.221{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A92E234F06C9AA2EB4AF983C64F142F0,SHA256=C5F6A5C96D509FE611D610863CCA8664EFD191A841D5C43597CA8A859180FFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:17.111{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198FD26F5A37002C559047F42BC2EB9F,SHA256=F10EC757A9AA88F0F70AF80C26D25A4D91B5C1A842763AF69705E7E71E3C5705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:18.519{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6EF0DF64A4D7B7D7F6CAC671A1EAFB,SHA256=18AA04D58EFDA0EF7A1D219B184CD9BFEAA8961FD2A0F8C9E3FFE47D962893FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:18.315{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22023A5F1E777A833D298DFFDA514B3,SHA256=9EE7B8DF9B41105B2450DEB611522A09B362B8CED207F3B28113E7F743FA5293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:19.682{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77EA89579C103B4ABDFCE7277D522A30,SHA256=96EB45E170F8B0A0B355904771D91364FCF13CE69B039EAD6424DF5C2BA95829,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:18.292{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50926-false10.0.1.12-8000- 23542300x800000000000000051898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:19.408{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE7A4BCCFF50973218C0C5E9956A8AB,SHA256=FFA702D90423C1FE0F5A53A070DF34E98BD94529DFFF8FA0F65E3E3F31A3E713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:20.502{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D95F7FFB12899B96C6EE406EA1D2459,SHA256=718120D9933459B9338C473DE20632ABB3E576802B48773A4179479E419AEB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:20.717{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950D220335BA4A16E4CE69E8F0614CBC,SHA256=707F17E805CBA2B01B22D912B2BDFC54D858F3E206287E77F670026E86B2B5D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000274965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:18.209{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64829-false10.0.1.12-8000- 23542300x800000000000000051901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:21.596{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7F820AB98DE24FF609B58D27456265,SHA256=EC9EDC5CF54E1BA0FBBB6F9960EDF96FC8B863663D3E0056E5E909B5A00F7DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:21.763{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C2A4919B7A2FDB9E37C4208269C5E3,SHA256=FA1D7575FC11546FAA104E19D694180A84916852E14093411CD0D7809273D44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:22.690{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDAC13727E62056392B7BB9A9EA68D9,SHA256=9187C082112BF13FD2CDDF23497FD6B5A7A27E9A21EF31F81C4895F464199C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:22.799{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3327FC32BAB8E08A12A1DB304D1F783A,SHA256=BC62B1878A46F2AD06063B047280324D67F04F5E88FDE0F2EB800291DCDC7A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:23.783{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8B6788E1304D50344030ACCD10E341,SHA256=0095C00646C095C975C1252BF653E1CDDF65B32849603530B99AE77D796FEDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:23.930{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865C1A697898A013DF3DFD4C9ACD1FBB,SHA256=95E705C0B5C1B4E0009DBAF9346B71AFD3B649A91DD3F26A01E9582003E85108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:23.064{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-100MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:24.877{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC575226646E13C7B21327293D2C5CD3,SHA256=6005A1AA435936C07F60FB677B5F570A3974F16F3CD41509AC8FAA098EFC81A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:24.078{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:25.971{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623B981F52A395F9E638EBE4130AEC58,SHA256=EDD31506305099AAD274389544A547C2840DD9B788FDE01927223E1F39C94DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:25.060{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0F530C177963FD5B86B1821F850F6D,SHA256=99867C55FC391F8E8DE716B057570EEC190F5ABD4F4D32C766995F9076D16808,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:24.230{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50927-false10.0.1.12-8000- 354300x8000000000000000274974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:24.186{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64830-false10.0.1.12-8000- 23542300x8000000000000000274973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:26.176{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286865769C61C2D389735D56A599A29E,SHA256=3D5D458BF8BD882C493F2F30C8216D244FD6495BD972C59656D61F33B4D54C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:27.065{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FECE646CE451C4199D4A4D37BA5C13B,SHA256=6DA2ED457256460E6FC7565152573EBEC654066D268ABD255EAC27149A8D765B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:27.211{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCDC8350149ADBFE395E5FCDE182224,SHA256=732CBA11A62F81A178BCB283AF6060AA96E5425890ADFE0D41B4B92A335709F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:28.256{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A855CD766A5C6B3ACF10E420F7647262,SHA256=852528CBD5A086D41408889708198E95AE85E4106E38EA85DE1C7FD3A3451E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:28.158{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4661BF3E1624B165A8894D68896301CD,SHA256=CB6E8B983FE3DBEA88D7411FD1429A61EC1789527AB0E79304B7C69FF83B38DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:29.372{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB81B7556489F51E3E45CEBBDD8250EA,SHA256=D399482723352144999F2651B4305711BC28248C6FA6962AD2602699533989F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:29.252{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5984497E8D01A72A07672B236A5BE3,SHA256=3529EB9E22C67B0AE5ECD9A40F020334A5DA6141DA7F38BCDD419E2FCA7CAA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:30.407{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E460833DFD2B2E11B691D24166A602,SHA256=BE8686B72F9C3ADF7F43B563DC3E897764D2ED1833B0E7F9C195E79822BCFD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:30.346{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA5C2CAFCB01E0AB2D126F27227EB30,SHA256=4977DADBB4F722E97818F24D584F83A8F19436BDB141F2098A4546B34621BCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:31.507{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3505AA81C74D1113AF95B0706EBA19EA,SHA256=0600BD665E2FA94E4E4E623A2EB3F3CF4D6630657B0525467029F39C06823F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:31.440{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C157B01FC3D2223FBAC057011A5DDB18,SHA256=099FABC7D0031084800B7BE5CF16C837322EEACB8BFF18683FBD5D2E83305129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000274979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:31.007{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=84EB4801AFAE5F634A4B2D5AFDF18D72,SHA256=B6531C72FA0B9822A78898731D074918E6B2F6D9BD0B0169330D763D7E2E005D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:32.533{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31C03DCCBD16ADF8874106DD5EABEB1,SHA256=578127B3A62A5ACBED34EDCF5C31442269DA165DBE70B66314B4E0ED87D93F57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.905{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1DC-62DF-3104-000000006F02}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.905{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F1DC-62DF-3104-000000006F02}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.905{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1DC-62DF-3104-000000006F02}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.906{F81F30E6-F1DC-62DF-3104-000000006F02}7056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000274991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:30.177{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64831-false10.0.1.12-8000- 23542300x8000000000000000274990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.537{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E5E5779883956EFD77C45B700F22D7,SHA256=525429014692BC967DE0791CB851AD518F2506E90FF054E89EB54D6BA90915C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000274989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.423{F81F30E6-F1DC-62DF-3004-000000006F02}7004736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.221{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1DC-62DF-3004-000000006F02}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.221{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.221{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.221{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.221{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000274983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.221{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F1DC-62DF-3004-000000006F02}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000274982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.221{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1DC-62DF-3004-000000006F02}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000274981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:32.222{F81F30E6-F1DC-62DF-3004-000000006F02}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000051912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:30.262{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50928-false10.0.1.12-8000- 23542300x800000000000000051915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:33.971{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C4F9AF0E416BDFA52ACF19F43F1BA48C,SHA256=49FBCDB46FC5D57B6975272767BAA83B6B3A156D55FEFBE5BE6147E3AFF20C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:33.627{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC079AE99A7547540A46FD8363AE3069,SHA256=E57DA0CDFCC34DC73D53E5FBF108CF5C558E930D0B3B4F3B9295C87481F29FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.673{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16A84AC833DFE059FC65FE0A8E1C46F,SHA256=CD6CD53C29C0F784F27269F74FF784B6669D8160AE67334F59DDAEABFF1F5AC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.405{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1DD-62DF-3204-000000006F02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.405{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F1DD-62DF-3204-000000006F02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.405{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1DD-62DF-3204-000000006F02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.406{F81F30E6-F1DD-62DF-3204-000000006F02}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=745F7D8DDB4C2C44C23FDBF67231F68C,SHA256=1D999FC827915C46AD7230E8FA0E31482AD4016B0DF9448CDD7425DE369622D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.190{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=E776E49C13325B3F8F30586534B054A0,SHA256=46E3ADAF89B516381BA3CAA12385036BE0D1FEE9456B2BCAE097EC8F72923E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:33.090{F81F30E6-F1DC-62DF-3104-000000006F02}70566860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:34.721{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2954DC396DA0C133B112C15CCF8BE820,SHA256=858A58EE0247635BCFC5AF6E74C8F1C9AB5FA882BE1B0A643078E2506F37B45F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.919{F81F30E6-F1DE-62DF-3404-000000006F02}54166424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.804{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B81C770D3A4EEED2100AE9E9743A01,SHA256=91CCC9700459C728BDC3C4A969542E9D1FB27955779C9FB325B6CE9C7CC31786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1DE-62DF-3404-000000006F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F1DE-62DF-3404-000000006F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1DE-62DF-3404-000000006F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.751{F81F30E6-F1DE-62DF-3404-000000006F02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.719{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=85FB690D57B347EFAA4EC6D983C667DF,SHA256=ACAC9ED15A8B1D95940B11C82F9F3D8108B7A2FF10B934146684883163841A42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.071{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1DE-62DF-3304-000000006F02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.069{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.069{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.069{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.069{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.069{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F1DE-62DF-3304-000000006F02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.068{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1DE-62DF-3304-000000006F02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:34.068{F81F30E6-F1DE-62DF-3304-000000006F02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:35.815{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175F126ECD92BE35877C5BC1A11F4752,SHA256=4435E6BCE10F39A0AA6BB0ECB18AC7944697924DAB7F9D530BD7BA957DE0203F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.971{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1DF-62DF-3604-000000006F02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.969{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.969{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.969{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.969{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.969{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F1DF-62DF-3604-000000006F02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.968{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1DF-62DF-3604-000000006F02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.968{F81F30E6-F1DF-62DF-3604-000000006F02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.804{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A522A74C0034FFD4EAEEF771A69B4C,SHA256=E1EE2B597F62F024854DE6FA3B400872413BD421C6A0E3D0BED38939B98FE903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.604{F81F30E6-F1DF-62DF-3504-000000006F02}4992908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.434{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F1DF-62DF-3504-000000006F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.434{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.434{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.434{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.434{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.434{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F1DF-62DF-3504-000000006F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.434{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F1DF-62DF-3504-000000006F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:35.435{F81F30E6-F1DF-62DF-3504-000000006F02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:36.908{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EA3630A401BF1BB85662914630EACA,SHA256=75A0DEEE0B5ADBA5A2152844B3E167F71977B2249E01F27C153869E31826DF0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:36.834{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9328F154C8851AEFCA8C2215B04FB0,SHA256=D6F098B8DEDC3DC1053EFF7DA29AEFF5299BD2A2D2967DA559EBD2D5F1E0D347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:37.866{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953C3CD464BE5ADFCD22B373B65579C8,SHA256=3325CCBCE739FD4A8931974B6E3A138CF7225B3BD6AA05F07F58DC8695918D55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:35.292{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50929-false10.0.1.12-8000- 354300x8000000000000000275053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:36.194{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64832-false10.0.1.12-8000- 23542300x8000000000000000275052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:38.900{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379B20DC2E95D841C3DD7C0AB69DDF47,SHA256=C9ED13B607F97E8DCBAE41C43AFFDB44800CFCAA2D69DF71316033FEFBEAECD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:38.002{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2AEE9D86AAAEEB5955262AF692D9BB,SHA256=42AAFC5842ED8AFE4115BC5EACC23EE3C748E00BA561AECB1E46C26565279D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:38.201{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=C13E365239FB1E9EDE9E877776ECF4A0,SHA256=800C2678BFACEA13AECD04DA7D691DBA2AD6AC4D166BB8A49992A883B792D463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:39.946{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF721E007557D0B2CBB83AB2F5A1C72,SHA256=5FC7F30745CEE8546C66434CF472B815E17E3764F046CECFF18EB9C43C90C0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:39.096{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052FC4AC43EBE7B90178FF33BFD1550A,SHA256=E83DB2CC8D06B0F19D1A2180C0DC7660C8333B9C8B562784BBEA3EE3CB64A81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:40.190{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12BED476635727EDD466BC6C5719DC6,SHA256=902C0E9F62F6EDADAFB8E247B07F116B76851675F0EB4364421618C2EDD1641D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:40.293{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50930-false10.0.1.12-8000- 23542300x800000000000000051923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:41.283{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECB9207FDDFDA383577188C682E131BE,SHA256=D664FD1E7C7BB3D512A3D6BA8A2C7132251D749C080D89F487B8A20EA9D9FAA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.282{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.282{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.282{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.282{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.266{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:40.998{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1B16D4EF1B1CD0408314575CB8551D,SHA256=5EA90F5D3809B954AB42CF22516664876BDDCF9353E33F79D2B5DDC3CF71A499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:42.377{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937A81EA7010CA05AD0FDB6AA468D0B7,SHA256=0FAFA572CE9279808785B8D0B3057A0DA38B3429938F2D14A3AFA71068C6897B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:42.028{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C481327670ECDD8F07250699F87194D,SHA256=13746C2552BFF7DD890C62FB4334001DBDC5588FB6BD71B1EEC866F9B5ED1617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:43.471{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867D0A57B10DB26F9E9B321ADC6ED9F3,SHA256=4EE82A8D2B0796B4C34A13D597FF2AEED5D8DD900DDA83338521D79E1FE589E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.164{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:43.160{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0133A446EBDED7691434E8A10ABD4309,SHA256=A4E10894D5EAFC0A12070F785E9DCE5D308D9EE43FD91BB863761B6FA9F7FB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:44.565{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA83BEB6665ED450C6E6EC83436287E,SHA256=412AC488DA3930F4E8BD0537FD1DBAFC0D51DC85163E34A3D2EE1AB95B598512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:44.180{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B31E17EBED209D18CE9B510C031D25,SHA256=BA215817C41C760D70C0B4B6550D4B32048D2AE4934EC56B0F4A4462EFEF0BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:41.219{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64833-false10.0.1.12-8000- 23542300x800000000000000051929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:45.830{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:45.658{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F94417E704569390E2FBE831BD5F459,SHA256=DEE69FB8920732BC4EDA7A380D61B92371F418F942DA6A5F30651F834FDD80AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:45.211{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18C00A7E93EB749820B146D436334DE,SHA256=726DF10BA0A5D2A206DCA67E7EDA9D77796F9C95C406EBDE9DEC46F437763CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:46.752{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC0F8AF721A053BD621CA937F12A476,SHA256=3435BE22A7DBBC6706A28B8897214A410F3CA86E52F23FE7705287563EBB0C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:46.258{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF02E9DE0F557572B1456917190DC69,SHA256=8C4D5493D0BF20AF10526CCA36E6D02171CE7ED1589B2F034BC774BD15B6980E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:47.846{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45FC278AD7C61E7EF821BB3DE84A29B,SHA256=35568BAE2635D06544BD5A3961FD84D43FAE1A041243303A1479096D740EB6FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:46.105{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50932-false10.0.1.12-8000- 354300x800000000000000051932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:45.886{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50931-false10.0.1.12-8089- 23542300x8000000000000000275078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:47.293{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0299E051C32FE1A2335E6EB48E67BDA1,SHA256=350EC1F47F3E5DF5B6EC0DD23C6D0922195BE6065F84CB451C4A265562174FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:47.440{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=32D5E9335C57504E794F923DFE03D671,SHA256=F790342FB22488FD6A57BE935350D5EA7B520A38DBB6D49E98F4C4645F40C9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:48.940{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68332B65F334EA9DD33414A492573A3E,SHA256=CD3B102820C2F100CEBBAD20472232D784A55D15ADBF1C4462FDA3CE8E982302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:48.823{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:48.308{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68B3DFF361864E58942366BBA4DC140,SHA256=107E109C29A0F6D66542EF8A23A9E7B1082F15B2B8ED6A48EE8857CCA5636414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:49.339{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AA72BC6C1166FAEDAEB758B005F2E0,SHA256=6E87AA777D8D36C8B5AC6679869F9EBDFD59C62983D1A9B6C12BAF000C67F638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:50.359{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FC55D3CB531D5051D5A4B22C8B3EC7,SHA256=D0F7DC68A479C5917A7EAA99A090B8C35E18E1EA6F06FB0CBD26C5C26AE073F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:50.033{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554F4C02068402216FDC73F3D7D0F017,SHA256=79503BB80E92DA795DB6FF641DE332BF72B5988BCEDCA9FE90FA53A2188A2C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:47.815{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64835-false10.0.1.12-8089- 354300x8000000000000000275082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:47.148{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64834-false10.0.1.12-8000- 23542300x8000000000000000275093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.406{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B32A43E8243E722A1E33DB5AF7B1680,SHA256=581D442C6C74FDC4F6607DF3CE4E1D258CA8EC7273E75E4CF117A5FF669DE2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:51.127{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F84259706C97667E1CFAAFD914966D9,SHA256=7DC22719B0EC5FF5DED4A7E049F97860DE9E071456BC486D39EFDB753AAA1EE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.191{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:51.191{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DFD4-62DF-B601-000000006F02}1556C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:52.453{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED73E174992CF22646670216B6E47A39,SHA256=F587068CB43EBFD548A7F3D47F41E4E57AC22F8114F563D792CB3674AD881BA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:51.136{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50933-false10.0.1.12-8000- 23542300x800000000000000051938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:52.221{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4ABF0866E4283966B1D71B4D874F140,SHA256=CF17F6E55BE5CBF506330556221276EBA93696F3AE341DAA6639E7C3968F7033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:53.604{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9A6C7FD4BE5927049B709DDCE6FD0A,SHA256=87AFED1159BDD4F78A53C880EB4629099789FA90B094FF095753E79604718F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:53.315{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2272A0B192AF4FC5988B7E0A0B6FD74,SHA256=AFFDA99D6CEEB0FD8A54EB89592E930CA991A652BBD63B43D58D5FD595F30BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:54.652{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC25298E9B9095F67E7F3169EC2DDC73,SHA256=A668A27BEA07178EBDA264715AE8A58CE8FADABC99DB55585CE5DE3E589C5A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:54.408{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038FDB6610F05B66C862B66FF49E3665,SHA256=F516BF0C0E3FFB9A2362DC939184ADD3992A54C8296F805488411A9C415A5618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:55.704{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1240CE9EB813674380013550F3B74EE4,SHA256=5F887A54DDFEE957E9F81D57ADE5150D8B5F332B17848F70990E9B5DF00000E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:55.502{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4316A55CEF8360ADE1287EC5DDCFEA24,SHA256=2B7043B96A700772B073BA89B7143671A0D3D42C9F6A6BB4B8621FA0E3410AA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:52.259{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64836-false10.0.1.12-8000- 23542300x8000000000000000275110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.853{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B15971D89583FF41D0A22407121D2A,SHA256=B5638CEA77EC2B3B740A145BFFA85FD3314DFC52E9A683B1BB15B5DF0570798A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.772{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.772{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.756{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.756{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.756{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.756{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.756{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.756{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:56.705{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945376D175CECC4013C0DDEEF3D8E9F7,SHA256=E30C35E11E666B1D2D42070410F2F1F41113F9A9EB50978BB698ABF0C56CA8EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.388{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000275100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.388{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:56.388{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF5fa4cd.TMPMD5=2ABF509D362ABF1EAA6CE721F2650098,SHA256=C2898C15FEEEB9276EC778745C62BE21DFA276180BC02787DA6F726B2FF36004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:57.854{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F634CE32CF16E3F348090D2FD1BF33B3,SHA256=04D1B93C8A58A99E6FD704D79435A953B88EE6C7E0A3713791F34C4E91ACFF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:57.799{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C68FD8D1D4C02D5A485D1EC565382B19,SHA256=FD244ED3A40C527CDD6B830C9546743FA0B0080A5F7CB374EC106CE6F5B0C0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:58.971{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B946945017F22A5D0472CE8A3B1103F0,SHA256=5B5F1DD2282A0C6F2E057DD6DC779ACAAD1ED276B8310D4251DE57807E6E2DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:58.893{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD1A85408381A0FA7930DBA88820D88,SHA256=51DBD215FBEED6AB7329AC7634B345F03C920F18C2AC0FB5848D11CF5F368BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:59.986{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE93B1216B82C19476DAA89641BD1D24,SHA256=B77EC62A2F554D74463357153878C5261FBF7A18378C8E90F78FE5F77387AAFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:53:57.136{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50934-false10.0.1.12-8000- 23542300x8000000000000000275113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:00.086{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4524D0FBB7A70FA334AC2B8EF5507443,SHA256=44FCE717F55C4BEF57956759BD6BE234E944CF1700329EE9B5B8E70C68571F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:01.080{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D979053DBE8BF862DF7DBC28F20790B,SHA256=E14A4C9C75158FE21D6D57AFF9DB57513EDD02F7E8153880443994844B8BCD2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:01.269{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=704946BB7845474F0844F895A58061CA,SHA256=B645A66A32B01683DBE732DC3174820BADBD7D3CE4B884804BDFAB9BF76F0CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:53:58.209{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64837-false10.0.1.12-8000- 23542300x8000000000000000275114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:01.132{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330AF976D666F4230875A162BA93A8E1,SHA256=233C37B73CAC20EB4DD922C38860DD33F37E2BDA990B6A44F2BA7249AC1FFC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:02.174{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3518003F1066BF2135E09B9B710B39,SHA256=3863847D94050DD1E14918C436E144F764416CEB3801759175355A462790E915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:02.250{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEE3CAA6A804CC9E2120EAEFFA32088,SHA256=16DE6FDFBFBAD99A68CC80B8E804026F6EA187BB2B811AC0ADC5CD38AC045A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:03.268{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5D37CCD860A4E3ACBF5ADBA69A8C63,SHA256=A49EB51F80A5BA09F0CB1EC307652DD3E27AFA2C5F10CCB5D21DECF3B317F874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:03.719{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07BE5E4268664347BD2FBCD097E5C5DB,SHA256=20FFA086699F2FA6392C5DD3BE2D74DFFF560F2727288874E56AABA2EA79CC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:03.273{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E594750BE5B11C9FE7987C829B55578,SHA256=B3166E264051AE1144421000FF6095609AC23D96E842031E94CB2EA1D33F2DB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:02.292{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50935-false10.0.1.12-8000- 23542300x800000000000000051951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:04.361{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9C25F77B898C6F95797ACE2B70C1B1,SHA256=0BA8A82277B8A9048E08546071407CDC1D29559398A96DDDC013A828DBD3FE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:04.318{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0F475401A244222DD98F4125794BDA,SHA256=13C5947A317B7451F62F36C940DCC4BD5E3254E3E285CFD736F9286A3ED9F87C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:01.643{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64838-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:01.643{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64838-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000051953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:05.455{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A6E8371F1A92B459553E3B54FEE241,SHA256=EACF16C576BFD64DD1E910011285EEE528CC5234C20E76063EA973648753C031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:05.351{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB33AF92064B418A17637A2D5D14DD00,SHA256=5D6529083720D0C70513600ADC2E2A302BB9C3B7670E93B0BFC407433C8D82E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:06.549{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F61AAB0158EC9C1D5D466C98CC4844,SHA256=ABDB4406960399C19A336D0B62C04714D0884F874DA70AAA2459C1BC67E35E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:06.469{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4999E0EDF4A7E435CD2FEA7C1B08C97D,SHA256=8150DD8B8D91480A4B62B1872DB7034D1B50074ABB6D17CD6DE6E7E48429A772,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:04.078{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64839-false10.0.1.12-8000- 23542300x800000000000000051955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:07.643{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC94A1B9890848941F21AA1243361563,SHA256=2CA974657F18D5A7D88245420FB0FF5D5C7075BEDDE84CC8BA3219958BE93FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:07.970{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:07.970{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=776ABE01BEDCC17F182C3DEEEF44BF9B,SHA256=AE81D1616770CA585EC5E271AC7278C2EB8B3BF08FD41906A8F2C8500DC7B71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:07.601{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589561A8D591A1E1151D8C135B614ADD,SHA256=DC6B4207DE4EFDFE213F8B16A96653E6D9505769A1DE60DA8215533823DACE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:08.736{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654DB6C9A853C5D41A5777507B3DB004,SHA256=E6C343C614A5AED8AD15CE48EBDEDB4A28A2598F3351B3EC62E8E2C9EFD658DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:08.750{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA1C4A01CC5265B938018F86798C1A5,SHA256=9B4302D254FD9BB6178AD1A237AD00326361FD5446FE387D6CD7A0C224A29739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:09.830{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212547408C79F6A018F19140CFEBE684,SHA256=39B07F6DBE163EBAD0095469BB30F71693E603A246566935767FCC1976E13F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:09.852{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6848E40646B569E63E5420CE25DD7A1,SHA256=F83152A283D7050519EC588A45EC24F1FC713830DB2E1209826EEBF2C58C6F36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000051957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:08.292{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50936-false10.0.1.12-8000- 23542300x800000000000000051960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:10.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FADCAD4C5DFA6C9C229F4B8D4D6C8D,SHA256=DA7300FA535DE647C40A8B11A5F0B2E8E90BD3D9DAA8F8D74EB16883C0333897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:10.903{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC23E4F7D486D9DA1870C36F7CC6050,SHA256=4331F2CCF56F07CEA4AF02158AA36DBF831B07DBA3ABEFAA9B2D98B30B634418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:10.428{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-101MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:11.952{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E5060237B4995F81D0E4F382A8D4B0,SHA256=FAAEEEF0A651E2AFCE10B1F9F136DA0C3B96B3CA2D657949B18E38BCB9BECE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000051961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:11.435{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.559{53069400-F204-62DF-5503-000000007002}588352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F204-62DF-5503-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F204-62DF-5503-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F204-62DF-5503-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.372{53069400-F204-62DF-5503-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:12.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B230CE4F5B97D15BBDCBE866DA8C7FEA,SHA256=5700F675989EBD2F5CB95191CD22A2E59E170DEC29494CCA3C5B40F9F93136EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:10.078{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64840-false10.0.1.12-8000- 23542300x8000000000000000275136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:13.433{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:13.433{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=B13BD1EFFF0F31FF50F150BB870F3189,SHA256=AF540B80DE2C0019D3D99A1819C84E2A3BA2F634D7C1FFA182863A7409ACD6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:13.102{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEB3DD32138340E3AFE29397469A0B0,SHA256=D44EB20977D51AF5E228E72C26BA34E23BB6EAE5C5A0FAE99D4D2EF8CB45699C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F205-62DF-5703-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F205-62DF-5703-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F205-62DF-5703-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.716{53069400-F205-62DF-5703-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000051992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.434{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C24F7A4BAC95BE852C3E48E88E38C521,SHA256=DCAA3EB46E6F5C76F902A10B93B75887D557C838DE7FD9CAF34471F41C827260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.247{53069400-F205-62DF-5603-000000007002}28483916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000051990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B1D7929D43D3B99C01AF5CB2E8530E,SHA256=B61662AFC5AB5CDC0171DC825B6366E919FA43BB8E6C2F328ACCFC65B51B022A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000051989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F205-62DF-5603-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000051979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F205-62DF-5603-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000051978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F205-62DF-5603-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000051977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:13.044{53069400-F205-62DF-5603-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:14.250{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCD09F3D4B242B003EFF84F3958201A,SHA256=6BE11D5554838F6433B8C70E5F9F6E3A3B021CCDFF10EB2523230468F41E8385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F206-62DF-5903-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F206-62DF-5903-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.887{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F206-62DF-5903-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.888{53069400-F206-62DF-5903-000000007002}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.356{53069400-F206-62DF-5803-000000007002}26962404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F41E587D8FC57169B292E8FE50F93A,SHA256=140619DCB4D37D6E53F63DE7B8318BAA2FC9D9F3096FE76D110B0F858B749316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F206-62DF-5803-000000007002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F206-62DF-5803-000000007002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F206-62DF-5803-000000007002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.216{53069400-F206-62DF-5803-000000007002}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:15.385{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E308E3E5FDECAD78DF7243FB35DE770F,SHA256=07D7C19122604DC8562474E92A14C2A0F788D41C7934BFF4A1872B257F163192,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.700{53069400-F207-62DF-5A03-000000007002}11841072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F207-62DF-5A03-000000007002}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F207-62DF-5A03-000000007002}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.559{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F207-62DF-5A03-000000007002}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.560{53069400-F207-62DF-5A03-000000007002}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:15.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C5B5A99283F41F6751C40E7ED291F4,SHA256=A98E8FE6B3DBA3AEC7DC6BCC608236320DADA9BD6B37306168A244BBD296721C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:16.515{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BFA932D39A6DC87577AE90175CB898,SHA256=F48F84C995ADC3C989C8CFFCBA6E9E7440C150E37CDD0FEB5FE5B883275D6E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73157899554B9A8B4227A715695378F,SHA256=0172A5829C1DE3D451C21E88B035BCE9FC481680CC429FFCECF98CAD493444DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:14.178{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50937-false10.0.1.12-8000- 10341000x800000000000000052061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F208-62DF-5B03-000000007002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F208-62DF-5B03-000000007002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.231{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F208-62DF-5B03-000000007002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:16.232{53069400-F208-62DF-5B03-000000007002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:17.568{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAF11B6DC57050028C60A6EF6747BA4,SHA256=AFF953D4CD43CE8CE63D3C167DA5E6489277DC918621F9C3CEA6656C152E7B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:17.684{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6C4F2D6843F0E5BB7A9A0040E8196BD3,SHA256=D742EFCEECFD3DF5ABE2DB05F3BD180988F46FF60098C53988B2943787D8E2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:17.622{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACB4725C92421F225E02949135AD670,SHA256=BC734FAD0E13E4B702AE271CFF564BAABD3A0CF4A45B2965908F1DAC54675027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:18.716{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2221D9891D1CA5B3F656ABBD842639AF,SHA256=3AD1CEB0B4B121F2A04E9D7C9E45D3980CBC4F48C131956CDCB9F7F9A49A65D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:15.155{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64841-false10.0.1.12-8000- 10341000x8000000000000000275174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.330{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:19.809{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15134867CE18C8844327EA0E6A7E68D5,SHA256=C66731DE3484DC52074CB460D1C729554B54DEAD10C0C5A50E1A8465D0CE6723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:18.999{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E189A602971914C57570D431FAB8C6A,SHA256=F8FBBA3DAEBEE7C1393410D3ABA6DE5B8B04E2B0D030556C1B02CCA9A63F4A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:20.903{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5F504D8508BCEE83B8BB526F26C4B3,SHA256=C38266321FE9E9561D849A272413BD7FCA59D3BE85F03CA37D934BCA612140F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:19.193{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50938-false10.0.1.12-8000- 23542300x8000000000000000275177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:20.098{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F885A4DB271B4BC0CC46DAE056AADE6,SHA256=BD00C22F0B9689E0A0CEBCA85A5F223556E2BD665D9A8D36B5BEFD5296F76159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:21.997{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BE23EF0FCC78E866A0DCC3FDB0CF59,SHA256=95FC807249292C5227EC0BDE85620D84D2422195ADFE909D418D86A85FDCCD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:21.145{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D7406B20B8DC206527A9BF8160A334,SHA256=E6B1A36DE38A30BCF56998AB97D4DF8CDE040D7731D8F39417BCC12310F63845,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:20.188{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64842-false10.0.1.12-8000- 23542300x8000000000000000275179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:22.196{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A71D1DCD8CA8484AFF32182D023A2E,SHA256=96BCB1900FBDEA17D9BBC233F07E585AB6B9402048814DABE9EF743B22FEE2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:23.091{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEADE89F01998C9191A4DFA64D4B0CC,SHA256=2323D12D5DD4F2FA175A03BA6B8597E8186277E57AFC9458AE572674DCFE827A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:23.226{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE59081A7EB3196BFAA6D13F55886C0,SHA256=9BB4206B414D973F0F94BE81F54B6BDCEB50AC4423928F328F68CC36C5F7D7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:24.184{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0246A4F4FB244DD0192E2336D00555,SHA256=68EDC2B63DE4330D8AC5F5C5D9C0273A15E85C6D0A7D6D8F1E373DC41B5C1A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:24.596{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-101MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:24.363{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387FCD7A70DF03AF47EEEE536C896887,SHA256=0D783700657D8BC1DE1FF2AADC7D8C36EE9A387DC41E55A9CD1F468D98F21F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:24.287{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50939-false10.0.1.12-8000- 23542300x800000000000000052073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:25.278{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E29FFE2FAEF578560AC8E2E189725B,SHA256=18CAEC359E0FBBF675FAC581F818931A7429734E544389B6FBF376676B6A3DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:25.611{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:25.494{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBAEBB40297B1A17D7EDB3E45BBD1CC,SHA256=5E3D1E10240F8A1A3498E0D65F3B4A9C034C806FF86A3FC160A5E29BB0D55F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:26.642{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE235A6A218AAC6557B0A21618B48F67,SHA256=BB3C50368488D901CAA88A22D1D2D5EC5235B81C5B130E1C206CDC4ACA149B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:26.372{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CF3617995145F8B5C359228B61A25C,SHA256=0FC33F02D146BF1D871ADEDB82CF6779B1476E87B3DE534AFD030E9BDDA96B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:27.776{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015F57F381EA8055F09D309D9CC55B72,SHA256=45554A7DB918FA65B7776BF0D23E65E1871C01C750D53D7F26761A6CFE000409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:27.466{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBA397254B156729E1530A3783A35D9,SHA256=4262731B9CEEBB1ACF220862C83D43CBBED053DB24023B02E2C583A849AD1A54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:28.976{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:28.792{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034E3A9CA9D3B1607C7BA77A2EED38D7,SHA256=EA64A07B9C29CB41F54D5C776485D80AEFB6AE9801FB7B0E10479BAB1220FFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:28.559{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED70AADDDC70BA87D08371A3E4AA9146,SHA256=B74C775E5896FBA7ADC642D047B8B891B51101235CF057AA29B4169EAA528E53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:25.248{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64843-false10.0.1.12-8000- 23542300x8000000000000000275191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:29.822{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D0D2CE892903A7FFEDA7267EF8D581,SHA256=A1217626C3B0AA71DF66173B0FB37A298859C44B425E3DB807F7D1D38BA69947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:29.653{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DE0FAC86D0D8373C27937227B6BD73,SHA256=3DADC4423DAECDAB46D0F3E2F47EB76E61F807C48BEA5A4F38048F9E1BA54C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:30.747{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51636E91EF314E47E1091FE3D7084F6,SHA256=1B060B07BDFE227CA108C09BFD709A7202206C73324150CF3AA74CBE219DE7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:30.874{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9519BA9947BED0B0DC2A6FC35B972AB1,SHA256=EA716D0D6A0EF038BCC08934944E910ED98710D477D4EF8E6536A7C594A56286,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:30.193{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50940-false10.0.1.12-8000- 23542300x800000000000000052080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:31.841{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EF531C14B81AED9726B4D56B051DBC,SHA256=70C17765F6BFFC60A818FEC25F299C3D6B73DF754688CE42666FE87132B0DBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:31.920{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DDD5BD57102BFF87F965D3FD080AE3,SHA256=15107F3DDB40769525309CE4E1E561507F311D3987991D2D97D360D0D240E3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:31.458{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C91B241DED257FD83BAD292472A6DE2F,SHA256=B2FBABE935302AC080424AE8E56D55EFB28F91300CB092C8EC990092A8CC92CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:31.241{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:31.237{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=E579EC666D94D2F28A109BE3371C1BA7,SHA256=C8222634ABA12FA808FC5CC3A1C1E5821F3182D9D30C05EB59F196688D6348F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:31.042{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:31.042{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=59C5FE0F83C5F0759A89053017728687,SHA256=D5C961CE52631482E21C6A91B02C0459719351440E8176FE9C173ABA774FF3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.972{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C108E9B95437E8D2CB8DC7359C646D37,SHA256=28F35F82D76B8BAF9D8E321B8D79278ACBC5F74E3C3827B96DDF4D3FBC144792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:32.934{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEA7631BF71503A06C45B699154C585,SHA256=D7EFE439DDCD8B07364534334E33FBB109963A4CECA99853840AC71BA60EF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.919{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F218-62DF-3804-000000006F02}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.919{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.919{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.919{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.919{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.919{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F218-62DF-3804-000000006F02}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.919{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F218-62DF-3804-000000006F02}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.920{F81F30E6-F218-62DF-3804-000000006F02}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.404{F81F30E6-F218-62DF-3704-000000006F02}48404600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.239{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F218-62DF-3704-000000006F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.237{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.237{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.237{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.237{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.237{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F218-62DF-3704-000000006F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.236{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F218-62DF-3704-000000006F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:32.236{F81F30E6-F218-62DF-3704-000000006F02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:33.981{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7C85DCA3A393E82944DAB4492936ABAC,SHA256=A15789FE2ABFBCEFC49B2B9DE6E20E458F2AC19C5826677F725FE1CDABF6EF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.918{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.918{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=51FA8D1DC750CF017FEB513B00DCB9BA,SHA256=09201749D281CD1B00EE1C211633D95B03E0E65E53698C5D4B69413FBACDD835,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:31.165{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64844-false10.0.1.12-8000- 23542300x8000000000000000275230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.756{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.756{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=51FA8D1DC750CF017FEB513B00DCB9BA,SHA256=09201749D281CD1B00EE1C211633D95B03E0E65E53698C5D4B69413FBACDD835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.618{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.618{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=E579EC666D94D2F28A109BE3371C1BA7,SHA256=C8222634ABA12FA808FC5CC3A1C1E5821F3182D9D30C05EB59F196688D6348F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.587{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F219-62DF-3904-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.587{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.587{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.587{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.587{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.587{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F219-62DF-3904-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.587{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F219-62DF-3904-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.588{F81F30E6-F219-62DF-3904-000000006F02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.340{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E72FAC05A8CB11B338086E8733F00F,SHA256=2C60143DAFDD94BB8CA77494CFE0D18AE22604AC2A245D1586584478370CD33D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:33.103{F81F30E6-F218-62DF-3804-000000006F02}23726696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:34.028{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDFBBCADE709B650F4042CF8871B427,SHA256=6B9835DEE772D4C5493CC6D6F4AF7CEAC41C174CF30FCFEC994C5D50F942E68A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.943{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F21A-62DF-3B04-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.943{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.943{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.942{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.942{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.942{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F21A-62DF-3B04-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.942{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F21A-62DF-3B04-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.941{F81F30E6-F21A-62DF-3B04-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.758{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.721{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E4F1A5830D1094F142042110D119CB05,SHA256=2380837C4CFFCB23158C6C033603519B1DFB561404E8D40941B5B685A838441C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.440{F81F30E6-F21A-62DF-3A04-000000006F02}78405292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.271{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F21A-62DF-3A04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.271{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.271{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.271{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.271{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F21A-62DF-3A04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.271{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.271{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F21A-62DF-3A04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.272{F81F30E6-F21A-62DF-3A04-000000006F02}7840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.071{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.071{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=51FA8D1DC750CF017FEB513B00DCB9BA,SHA256=09201749D281CD1B00EE1C211633D95B03E0E65E53698C5D4B69413FBACDD835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.003{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED433FC7DCCF4A79AFBE2DDA6F9D798E,SHA256=D96D398E24B74BBDDF908E33E6E534184BD55E1EFE3FA7FEE8CFAB3DF8D17AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:35.013{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80753317A267A0FBD9AB31E1B2573EA1,SHA256=BFB56C18052C322B962DBE38433D3E71F2360AF68215C689D0F02C50199B1B3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.944{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.804{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.804{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.804{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.804{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.804{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.804{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.804{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.807{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython h.py 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x8000000000000000275272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.620{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F21B-62DF-3C04-000000006F02}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.620{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.620{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.620{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.620{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.620{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F21B-62DF-3C04-000000006F02}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.620{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F21B-62DF-3C04-000000006F02}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.621{F81F30E6-F21B-62DF-3C04-000000006F02}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.105{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8674382421ACB65DC82CBBBB69E02B63,SHA256=0FBA8BEA6FEA33B50B1109EE7AD9B79F4098FE86987246E7DDA6968F66029208,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:35.089{F81F30E6-F21A-62DF-3B04-000000006F02}65246500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.244{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F21C-62DF-3E04-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:36.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95734A9831B1140B603F19CAD2DC2115,SHA256=F3E0B1374A68B3B04AF3916C59D4078497E582EF293E8B186E5EDC76FE2FD334,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.242{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.242{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.242{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.242{F81F30E6-D97C-62DF-0C00-000000006F02}8526024C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.241{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F21C-62DF-3E04-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.241{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F21C-62DF-3E04-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.241{F81F30E6-F21C-62DF-3E04-000000006F02}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.145{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD68E9D8E638B6055DDB1201EF35B88,SHA256=6919FB12A81CFFC5908324B66338A9174F985B079266C760B8FBAB07B1E846B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:37.201{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13D88331153912A7D4628ABC108EC8A,SHA256=102534A9B51EBAEF3AE964252E46D2F1E1CED00EF9FB713EAEE3770987089892,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000275297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:34.945{F81F30E6-F21B-62DF-3D04-000000006F02}436win-dc-ctus-attack-range-5020fe80::513a:aaff:ea8e:f17;::ffff:10.0.1.14;C:\Python310\python.exe 10341000x8000000000000000275296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.923{F81F30E6-D98A-62DF-2B00-000000006F02}26561432C:\Windows\sysmon64.exe{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.894{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.894{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.876{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.876{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.177{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489E43324D89075C4A5251584EFD447E,SHA256=1C7EB63F7DFD44DA9EF1240C88B6EB4AEA2B77554A95DADA20D906D549A1B0FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:35.318{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50941-false10.0.1.12-8000- 23542300x800000000000000052089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:38.295{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064C54B2E7D6AE21D1D79208C45A409A,SHA256=A43412236AE0A23455865D59C04A37D110B6E40A046144EAA624D55A0521FBEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:36.185{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64845-false10.0.1.12-8000- 23542300x8000000000000000275299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:38.223{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2474BBAEAF83435E46860AD8237D6413,SHA256=ACA8F0EB763157CB9928F25890AEF32BA2B1CBE0F6D8FBB81C5EC3399C75C1EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:38.207{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-E923-62DF-FF02-000000006F02}7404C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+e47217|C:\Program Files\Mozilla Firefox\xul.dll+1f2a9d2|C:\Program Files\Mozilla Firefox\xul.dll+1a3720a|C:\Program Files\Mozilla Firefox\xul.dll+1a39c05|C:\Program Files\Mozilla Firefox\xul.dll+1e41e06|UNKNOWN(00000034CA763342) 23542300x800000000000000052090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:39.389{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5A0D897517928871160843917AA043,SHA256=4D8C7E4096FCC3A4531C1A05459E7CC2F3550C216215BDB99FF3173B3A41351D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.817{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local49186- 354300x8000000000000000275304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.817{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local49186-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 354300x8000000000000000275303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.816{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64846-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000275302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.816{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64846-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 23542300x8000000000000000275301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:39.274{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F45FA86171EDEECCE1E8B792203E9A,SHA256=007B65DC1C55F8D08F1E2C1AA33A8FBE7D7F99F883AEFF15020CB16E4F424A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:40.482{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B85B0DD425F08148DB9F7C33CD1FD3,SHA256=22A415A2243550C44BB7B5A418559B0DEC3B4C92039BA47DFE5B4F46E9D102E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:40.439{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3485CF6A91ED79C325A282A87FB5E6,SHA256=504C96C72CC65A5D0EAC62D272629C3C599B129529148EC50403F24BCBBAB13F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:40.220{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-E923-62DF-FF02-000000006F02}7404C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:41.576{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEC90429A52B1A2EC8D4D6F28888738,SHA256=48E03CF285018B2037CD5851B467219177308F4BACD6E3945DCFF3F93EEEA93A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:38.982{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52434- 354300x8000000000000000275310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:38.976{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A52504- 354300x8000000000000000275309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:37.831{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56067- 23542300x8000000000000000275308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:41.488{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D40ACDFEE84278DC2090BA49F4D8FFB,SHA256=64EA62C111C14128897936BCFD8B956A211BE348B78AA3740FA8A3C109F1F3EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:42.670{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5582FB124BB441EBFC8C8D5026D10D3C,SHA256=F7E63BACB91863372AB475E8A83E1D22EA9780198D6F423DBC26218A74BE49A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:42.636{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5ECAD6F45A0B07A066BA13BEC849DE,SHA256=39115B1DCC80405A6BEB194DFEA4C4D656F1B004994A1E7638278F386A7E72AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:43.764{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F36CD2FD59105F6C79795171B56C71,SHA256=0C0FE026BA1DBF70C5DC998259DC98A9441440B9AF2B3777AA4B56EBF82FF84F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:43.818{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\16782MD5=46F106D316B8D6B27C09D1B66A2340B2,SHA256=7520CC11447F10EE63113C6B022FC0E948EC4494707269838DEB6BF2938727D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:43.671{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469C6CC379799C79B9E2DA58FD7656FB,SHA256=173E34B2E3280DD32F0A3F4069D87026F73D05AF817CEFB85F05D44EAB25642D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:41.304{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50942-false10.0.1.12-8000- 23542300x800000000000000052096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:44.857{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799F7B6AB45C406A79C49371251182EA,SHA256=6568E9EE3BAD93B943EA357328BE57465FE0B80268B7E591B4D3075CBF8515C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.717{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F2F1542B6B524A30561343EBF3CAE7,SHA256=AA799D08207E2C5A9EE02E0A43FE3A1E16602DFA1EB64206E73BF322ABC525D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.439{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.439{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.439{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.439{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.417{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.417{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.417{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:44.417{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:45.951{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94615BB0E165653B7D98A0C5FB4B8292,SHA256=79305963ACF5058E4521440BAE9C8B3E174CCA557D356EAABDB019C2E6AB7543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:45.753{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AFD3E8CC31DA59CC991A3B7B992092,SHA256=AAE3D83D4E67349A6CB21BD5869ED428BC1E2F7AD6B45BC3C7584310D6C6311F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:45.857{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:41.226{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64847-false10.0.1.12-8000- 23542300x8000000000000000275332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:46.914{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6341A268DEB3192AC3EE03ABE52438A2,SHA256=7E4030796BA2FE3B070144E71CC3EAB0D23E126AA72213B98B47A90051FB7AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:46.873{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5F6D07A8C0E775503DD44087E63FACEB,SHA256=C39EA6218962074EC26E6B6811F44337829F58AA0ED0C31C4565A8D1B895B2BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000275331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:46.732{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 13:54:46.731 23542300x8000000000000000275330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:46.732{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000275329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:46.731{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\AlternateServices-1.txt2022-07-26 13:54:46.731 11241100x8000000000000000275328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:46.532{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:54:46.531 23542300x8000000000000000275327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:46.532{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000275326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:46.531{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:54:46.531 23542300x8000000000000000275333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:47.951{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1FA7DFD48D2F50D258DFF389E645F65,SHA256=4F7CA5D533606FADEC2421D0ACE66DD25C1F378B6C6A813CE653A57A939FF322,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:45.914{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50943-false10.0.1.12-8089- 23542300x800000000000000052100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:47.045{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E33D69F36CFD6DA63876252E1BADED8,SHA256=858F34E1C04EFFDAF78A768925F9704CD568F33A2F4D14304417A1B8EBF1EAF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:45.976{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64848-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000275335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:45.968{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64940- 354300x800000000000000052103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:46.320{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50944-false10.0.1.12-8000- 23542300x800000000000000052102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:48.139{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97179BA3A9F068575D68086395731FF3,SHA256=72BC33EE0A66E9C93CA9E45BAF5654485CB1CD7F74E17164D3ACAFC5C0178C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.851{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:49.232{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE199B67F515F84B02E57F99F5ABB0D3,SHA256=A6C9FB43FAFBD2A7F63141AD61710987C382D496F96A4C37118D1C171DDAD041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.934{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.934{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.934{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.934{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.933{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.932{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.932{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.932{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:49.081{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4458F1479DA86312A9912F270B958C75,SHA256=F07E0DE55835B3524AEC0062BEB63F1CCA2AF5B48D708C5925715CCAB1E908C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:50.326{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD31C0CEB8E181441D421BB8E20B9D3A,SHA256=9AEFAF6EEB03A9278062CDFAAF3406C57AC5D6AEFD61100B9F0769383EB28E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:50.081{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50E298EB39528DFE327C973B35DFAA4,SHA256=05E337D8F744D0D802A7C76D3614E6912E5784136C0A269BE721E996CD588212,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:47.837{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64850-false10.0.1.12-8089- 354300x8000000000000000275346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:47.240{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64849-false10.0.1.12-8000- 23542300x800000000000000052106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:51.420{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8483F74609AEABB9F447394B640DCEF9,SHA256=11DF7244E154D6D2C05E43E48AB17B1956D53440C3DE087CD5A88A0575427F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:51.963{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\15310MD5=6953CAB71CAA061DF17B8C3595AEADA7,SHA256=1FC4FD8DC76DD7071A699432CAB75F62B5994726FCB82553E3D9D76AF24B94E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:51.963{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\6187MD5=5D3E923CDEBE2FB2D84C4EE0992B5988,SHA256=0C18CB58A403E6B7A83CE16BCB3CB7F68C293EC7AE7C3E96FEB3AB5684CFB1C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:51.130{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8731B561DD7890DA24F07DEF171BA42C,SHA256=9EC244E944E31F6DF0E2276496E8421EAFEA1E52CBAEFA9D0EA2F4EF0727F47F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000275359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.062{F81F30E6-DAB4-62DF-BF00-000000006F02}2464e10109.dscx.akamaiedge.net02600:1408:c400:188d::277d;2600:1408:c400:1888::277d;2600:1408:c400:1881::277d;2600:1408:c400:1880::277d;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000275358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.038{F81F30E6-DAB4-62DF-BF00-000000006F02}2464e10109.dscx.akamaiedge.net023.11.20.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000275357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.037{F81F30E6-DAB4-62DF-BF00-000000006F02}2464www.hotels.com0type: 5 ipv6-global.hotels.com.edgekey.net;type: 5 e10109.dscx.akamaiedge.net;::ffff:23.11.20.58;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000275356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.029{F81F30E6-DAB4-62DF-BF00-000000006F02}2464www-amazon-com.customer.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000275355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.015{F81F30E6-DAB4-62DF-BF00-000000006F02}2464www-amazon-com.customer.fastly.net0162.219.225.118;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000275354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.014{F81F30E6-DAB4-62DF-BF00-000000006F02}2464www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 www-amazon-com.customer.fastly.net;::ffff:162.219.225.118;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000275353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.032{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64618- 354300x8000000000000000275352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.031{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54819- 354300x8000000000000000275351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.008{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59596- 354300x8000000000000000275350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.006{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local63036- 354300x8000000000000000275349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:48.006{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local62842- 23542300x800000000000000052107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:52.514{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922885124503834CA1956F97B7E8CDAC,SHA256=DBFE164117137072FD52A852BA599B7682E73820534196F64F757DD007642D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:52.163{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32282939967E956BC06302554B1C62FB,SHA256=BAED41A3F178F544635E9229246D8E3DEE70E5A1A85407ED08B62BB93FD49B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:53.607{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0363661943BAF74BBDE089C6B788880F,SHA256=0D77EB875C66E4FD1E599444C2B41338C00DDA0A1512D88276AA299317C780EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:53.294{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D27DAE9C84E9136BCE8826221C6F8D,SHA256=2B5BFC008E84A42F9E308A433116F54560772E2386CCFE7D335BDED6C4DD990B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:52.319{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50945-false10.0.1.12-8000- 23542300x800000000000000052110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:54.701{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6188BD696859F9A66470B798D5DB9C0,SHA256=AEB3E53AEA48F326B54D69CF7F91424E56C26DC1926301957383C3C537F87842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:54.447{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35B8FEC0F7DCC1E4AC50CB819CCB0CE,SHA256=147507C7E5131462F740878C0515D16DE5B66703B721A7718AE570E61732AF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:55.795{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866BB483D37E58441DEEB7F4A7480394,SHA256=69BC1A01F30447F7FD62E65DD07E4F53A4477FEFD69E1A662D39EB7352734A4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:55.493{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764C628952A2D04D7FC2477A4BB8D046,SHA256=E396963280E330191ED33D12D7A1D0AD58D058EB9465695FDD6E89D366ADCDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:56.889{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AF433E8BF041FF693B42A001CB8B7A,SHA256=444E7B9EF0A6BED7C9511979CE1EAADF895A7B4E15C01E30316E77BB355A0860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:56.660{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3C997508B9CEDB4072CE16CD5DDC1B,SHA256=24B73C5150419B8E42A5DCE4F9A072F20557576ADFA811673158B512C8620F23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:53.255{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64851-false10.0.1.12-8000- 23542300x800000000000000052113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:57.982{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69518FAC2919B8C0CF1CAAB9AA2A4CF4,SHA256=9FE3BA06D4D54B62A26F2D5D2EB27AA4DB32F981E04EF34927061EE07F4F5A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:57.690{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCEAAFB2A4355D3EFCBC55CCFDA9386,SHA256=5DC18A1D0535E7D4B50499886307C6C0315FC539FBD96F6511B727898380DDA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:58.743{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5FD2F6236187F807CCCC073D7EA313,SHA256=DB727098AA619571FD911F2F7CEF62FFB85FBFB541F02225663B30A10D05654C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:59.789{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E8A46550312D3191C5C5C9515A920B,SHA256=45C81554B88DEAD3DEB6EB0B52EABA7FCE148F84C802A41246A5BB909C8AA8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:58.116{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50946-false10.0.1.12-8000- 23542300x800000000000000052114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:54:59.076{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EACA15D193D578522939A78F333E7B2,SHA256=72A43B1C02DAD029F78EEB8C0F86415406735C25CE2DD03EA5886C696824F16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:59.105{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=92E6E01AA3A4AD23719CE4EABF1777F4,SHA256=2480114676CA9A64208BC0BFDD964E0D840076252DBE85F2BED8DAA7F8DD1B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:59.089{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:59.089{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=36359EBC11FB48C006D26A26F93C9164,SHA256=6B510F443087B092CF112FFBA3BBC59CF806CE69D869E578C0E80265DEA9CC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:00.841{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC869B92032CD32C200E468541F9220,SHA256=B22D4A461392DBC840A88117296107F64CAE7B237498C6F7E78471272DDE3DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:00.170{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD8CFDC8572DDC74F7ECAC19293C487,SHA256=9AFD690E70F72CC24FA9834603AB2EACDB0BA9C59892AA9E98E9A0F28ED9C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:00.441{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:00.441{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=51FA8D1DC750CF017FEB513B00DCB9BA,SHA256=09201749D281CD1B00EE1C211633D95B03E0E65E53698C5D4B69413FBACDD835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:01.887{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05B48E3AE71E378A85BE8F8747F02F1,SHA256=A78687B7BCC9709DCB8700130F89FA81EB49554F3DC20F0AF429DDAC15F57436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:01.264{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD91CB6D630D8A4D6114206FBE184EB7,SHA256=B5E3844EA3C6E27FE3E4145058C5E923BA6F837BF99C0DBC6C6964A25AEFDCEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:01.656{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B947BA61FA58A1E7BBDC0F8D5315EA0,SHA256=281C1CC7F89BC561B58551634A0AF533D632FB5FCC39C243358FAEB0CA09B61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:02.939{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7F9B19F9FDAF59CB66E54EDC00AE0A,SHA256=F1666685ADA777D7166C8BE87AA5E212A7147AA98B230E047F3DDA5E4DE80E6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:02.357{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C6032EF7C98AA38126D37E0863384E,SHA256=CAB27252F869A16F4865159CA6EC10001682054271272E81969889DBCA20F7A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:54:59.150{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64852-false10.0.1.12-8000- 23542300x8000000000000000275383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:03.972{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA8E5E4E0E4956842F267775465973B,SHA256=79EFAFCA6D6AF4E6CDCDA9192F026466333DF3ED556B5E6CC1B85FBB7D1A25BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:03.451{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C9D794C3D559AD4CB9CAD5CB0CBA3C,SHA256=BB139E84730AE0091C0231775122D80B00C0AF95B271DAEFF393F6DE0279DBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:03.685{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18FF4ACB1F369DA6B8040086EB3B1473,SHA256=FC73479B7B5E406C32CF37B7D919064A9A4E5C2AE7A3A22078F69CE76BBE4561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:04.545{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B41A40B10FF0E61D6CF62B6C5803C0A,SHA256=3DDD2869D7093A935BA97B98A3ED5727FCFD2E560897B6A40F96C6F2AE92E1BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:01.648{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64853-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:01.648{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64853-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000052122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:04.132{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50947-false10.0.1.12-8000- 23542300x800000000000000052121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:05.639{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD437CBA8D14BC6D62884F732B0D5254,SHA256=BA06DDE4873394744F515F0B58E466EF4DD5341887C85E3E01E3EAE6C817FA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:05.004{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B6E331667BD0C493E882DA470BD0AE,SHA256=1F71408CB525643B62B957374C4A85A65F39B0CCCB3F770484078C7D417D4C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:06.732{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C3C5865B5385ED3AEC73A3F65407D,SHA256=0FBD7266C08797C74D3188DFBDE1DB783834076EFF9F18C32509CF3B2A6A9D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:06.041{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E232B516DEF4D06E1AE3127C356223,SHA256=99D90828582CD911F0137009E791C7BC14066906BA993A4649D0E60B40BE437E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:07.826{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FB5D9B390B1663940236330F6C7C1F,SHA256=3BE5663CD24ED86897E4031002069C8CAB3DBA6A2FA2C885CD9B2517901F712C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:07.172{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D6C0AC986F2968ECBDF2C6F2A96B141,SHA256=B7B1EFF18712C94834765D57F0FA0FBDB31DEC6BEDD2D2F8E0B2D6B07E293928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:08.920{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C379E0C00B626BC5D1B6796136A547C2,SHA256=8DF36539750C8FFE0F325ACD1193AFC495EBEB52EA487831FF14A29476AA7DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:05.164{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64854-false10.0.1.12-8000- 23542300x8000000000000000275389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:08.202{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC78348DF065D4B2F04ADE93628FA3C7,SHA256=3D1B58E4EEA056BDF60457C55D7B32CC9DF719E6709B63957F748160AC23BB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:09.254{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFDC95DA6BB4AED9AE7B5BA89492347,SHA256=4D3A5911CB515DE4D415001F9D5AD0ED0FF1BF6B65A28AAD321B0600359FF54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:10.014{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855A5E9F4187BE9F082DF15DB57BE4E4,SHA256=A5BF785287BD53604D862D5B2C334ED78E2EF62B4AFA76078476D1983DC26E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:10.300{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F891B9C41FE9ADD0244D28140CD3E1,SHA256=AFA7FD9FE349A2D94DFC192DD9A3AE5182D0D9F1906024DFDC812A4E3666AFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:11.954{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-102MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:11.107{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD06A6E7C77B833C4F9258A3E63E130,SHA256=9D7ED23C41FA1C9A7E607982D58B6E3C5CE3435049646E6B674376B3D4D39212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:11.417{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29E17BA49E35FD01C8A9F3A0EDAD7E4,SHA256=C1F62F3D7724E8F296BFD6455CB388FEA9EDF29FFE82F0D2984B0BBD884EAF09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:10.209{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64855-false10.0.1.12-8000- 23542300x8000000000000000275394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:12.568{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D98E6C0ED8E72942C73F360ABE269CA,SHA256=651EA56879FBB8806B362F54CABCD78114A42D7223D8183FEBACBCF0D4A8CCD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.952{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F240-62DF-5D03-000000007002}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F240-62DF-5D03-000000007002}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F240-62DF-5D03-000000007002}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.874{53069400-F240-62DF-5D03-000000007002}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.592{53069400-F240-62DF-5C03-000000007002}33643884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F240-62DF-5C03-000000007002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F240-62DF-5C03-000000007002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F240-62DF-5C03-000000007002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.374{53069400-F240-62DF-5C03-000000007002}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:12.202{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5970391896FCB471799C1FE7E8A6B10F,SHA256=2F16E5CE409C24A87E8C3FB2AC0D4D36313C11D0A5C9A2619753A3CDC11D1447,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:10.163{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50948-false10.0.1.12-8000- 23542300x8000000000000000275396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:13.598{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2EC323076A26FE743592FE21BB9B23,SHA256=A889F91FD68F61657C459938719102AC1E076A24BE48476669BCE3081D6DDB1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F241-62DF-5E03-000000007002}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F241-62DF-5E03-000000007002}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.531{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F241-62DF-5E03-000000007002}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.532{53069400-F241-62DF-5E03-000000007002}1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.484{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C016602CBFA9168C87164DF270D5E7,SHA256=208A04597BB4337BAB1591AF078BCAADBACFC231CDAD26636402B211BEF138F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.325{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=234320D1CE60FCBFF83F64B140958D33,SHA256=6E2CA4A5367E8FDD1272583C52B7C8AD13E1BCCA7E6F04401223808F1E759093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:13.028{53069400-F240-62DF-5D03-000000007002}31202032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:14.635{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4746F11E9F3A9475B7B7F302A8D1CBF,SHA256=AE8727EA848DA0CDA25ABEE22C42998716B74223318970E54B2A2B22837E5F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.937{53069400-F242-62DF-6003-000000007002}39562000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F242-62DF-6003-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F242-62DF-6003-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.718{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F242-62DF-6003-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.719{53069400-F242-62DF-6003-000000007002}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.671{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8DDF0182AF99F2AB9F2B2DC80F1182,SHA256=659685B3F206C10255064DF97F1EBE20E5448476705507D16D50DEC6BBB22216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F242-62DF-5F03-000000007002}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F242-62DF-5F03-000000007002}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F242-62DF-5F03-000000007002}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:14.203{53069400-F242-62DF-5F03-000000007002}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:15.681{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567F65D53FCB19F2E74D1C4F4807A164,SHA256=01083E5C0F31E726ED70D4575ABCABC13B7779012FCCCC3E1A0DD769E0615A43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F243-62DF-6203-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F243-62DF-6203-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F243-62DF-6203-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.861{53069400-F243-62DF-6203-000000007002}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.859{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBC8358EFF657D5E56B1F6C1B18CB20,SHA256=22AA6BBF68BF9540BB8346BD9C348E6C789C118B5D09AD6E1ADE8984BF81287C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.374{53069400-F243-62DF-6103-000000007002}23281816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F243-62DF-6103-000000007002}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F243-62DF-6103-000000007002}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.218{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F243-62DF-6103-000000007002}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:15.219{53069400-F243-62DF-6103-000000007002}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:16.921{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045C14C3D500DFE61E811D770202881F,SHA256=D3EBE9D5E39327450232E733EF7FF601A3DF2C1C483F72D3323C38FE4F6D6D3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.848{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000275404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.848{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.813{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7439E884A740F5E4D33ACD06933F18,SHA256=5CE0D60FCA848BCCAEBC44EB3C8DEEB063CDC12E37895C7B909C7333AA5BFE2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.748{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.748{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=51FA8D1DC750CF017FEB513B00DCB9BA,SHA256=09201749D281CD1B00EE1C211633D95B03E0E65E53698C5D4B69413FBACDD835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.733{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.733{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000052233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:16.149{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50949-false10.0.1.12-8000- 23542300x8000000000000000275407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:17.864{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87914E21D6A3CB4EE71A47B40E9DD5CB,SHA256=42E6CBAEF578F0FAB87FA3AF69E013F9C256E240702931408BCE633D707CF612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:17.816{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=370A900FB3ACD59FC9435B847097DF83,SHA256=581C60688B2BFEB9930F86D184D5EFD9E9708E1757C0A17FF0E83EED915E0732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:17.062{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7DC9B7FAA0DA7A45AADA44A76F949212,SHA256=E386D2F5CFB5980BB4D8E5695AE69FF30D366C9FBC5A5F28090E0E49A34380F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:18.914{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36AF60C9F86F48EFF800E0F693F7B2C,SHA256=D071958A2E91754EF8565BFD401F1655602D53E64116D3090B1DBC4635CB6A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:18.015{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CD2E88D28105DA71808A43A168AAE1,SHA256=E318B1C37E4174E7C33BE91BFEC82E0DDFE548C685D59152D6CBBF2E73A44370,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:16.141{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64859-false10.0.1.12-8000- 354300x8000000000000000275413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:15.861{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64858-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000275412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:15.861{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64858-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000275411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:15.756{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64857-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:15.756{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64857-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:15.744{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64856-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:15.744{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64856-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000052235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:19.109{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEB91D885CCF89552A409F1AADAB5EC,SHA256=6F73334961E9B76CED7E4CA33F09443D282B0991FFFA692B226CB7B3F8B9AC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:20.203{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65549112BB6FC8EFCB17F92181DE374B,SHA256=516A6ED616838A1B88DC4037EF955E119E2A1D4C36F7E7E964FEE59ACEF30950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:20.614{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Users\Administrator\.idlerc\breakpoints.lstMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:20.614{F81F30E6-EDDF-62DF-9C03-000000006F02}928ATTACKRANGE\AdministratorC:\Python310\pythonw.exeC:\Temp\h.pyMD5=0A1CB7BD219C9623FFE43735F948C0B8,SHA256=FC98E78A15C948931DBBA3FB2277EA324413746E6191FCADD074C8DC61FB537F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:20.062{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B709F0389A9B109D2D812981219ADF6,SHA256=8EC2A9C47A3427385305C437D9F2F9E054F1CA1819AA87B48CEC534599B66990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:21.296{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB0F6D82E63E7075E6A6CE4649C4A91,SHA256=492F92025058C78798EC7DECAD6D4D8B97A4E5E2850DAA1977C4ED25AFCADF8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.314{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:21.110{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0305CAE6EFC8323CE63092117FDA50,SHA256=756798885D24CB39A6BEA8803C6AF525545EF510AAD533CD0DD640DFB67BCFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:22.390{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D656B803AA38E8D845AAC6C5DEBBB5,SHA256=61E670DB85461E287799F08AA6EF5E2FB8905A4EE117C8D5E27EDB8F4F602975,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.993{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.993{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.978{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.978{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.246{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AEB142DD537FAB052EAE3E965CC662,SHA256=E42F752A36B196DAC0DF1360522A90E49CFA2FA4FE199B718E52592B78C89C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:23.484{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9309BD03A05A9F0E3DB668756CF8C182,SHA256=A863F718EF770C08FE3A501F83AD4CCE4E340907A236D12E31A7C19ACE9FCC75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:23.362{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023E1F3E6C8CB7A6C102ABE6CDD8379F,SHA256=EF416F3E6C6DDA5D2514A1C5080EACC09F0569CA713F2F5105E63F1E9D1BBD1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:22.165{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50950-false10.0.1.12-8000- 23542300x800000000000000052241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:24.578{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203E6E07D7D7411685FCA37C24191C53,SHA256=EE2AF056A2FE595D0FCC1D31FA59109CA1F5FA2F8EDC860028DEE4F7C24D90A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.139{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64861-false10.0.1.12-8000- 354300x8000000000000000275436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.116{F81F30E6-F21B-62DF-3D04-000000006F02}436C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64860-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000275435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:22.116{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64860-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 23542300x8000000000000000275434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:24.476{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219A0DE64558A163DFFD56326F144A87,SHA256=0D5482FD4CE23AD19F325092F9D6CF5D993FC01350E0E8DCA05C6ADD084739FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:25.671{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D615ABE7003F7FB64AE542C1979FA882,SHA256=E7BC5FA17566DF876CFA9949DB0FBADED2EAA0C003526A836559B440B580F307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:25.628{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC92F8D0FC7EBC31C33B180C239350F,SHA256=751F63315C8A38DB2EADF0882345E553919B70AD10F6E4D0E7C262C71C6FF2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:26.765{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582BD5D9EE41D5FA4F2B276F8E6668CD,SHA256=1A3C7896DE5269D0B7A6EFA4336B02BC0E87277326E106C6DF596BEE84253F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.659{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8FE8EA83831F64373FDEC62C1FCC5C,SHA256=5EE90D5454F71AC9C14F19255C63C615BFC9AC4552BEED3190010B9D5639A58F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.212{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:26.131{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-102MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:27.859{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0B7C530A17E5E9235AAB14DE20BAFB,SHA256=EB81148B47C188ADC610C90D1679D023D706098FCE20B8466E0B79D12337ECD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:27.774{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F96CB92B27610B1079A9C7D00AD46E,SHA256=5F91243545F931DCD9E350C3D71C5D2B7C74E1E447E0F2E525FD5C2A58A2E807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:27.375{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\25579MD5=EDB8822A8A3AF14E4C6C41E6F145AA28,SHA256=404AF448EF83A30BF73059425DF395124301D9F1FDE57CBCA85FE5B0195794D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:27.145{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:28.952{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685454793CCB49C3CC4219F6EA9513C5,SHA256=7053F616162B7E172A26374E818911F3CA9D1C6CA1DB5DE60114B0C45DCF3143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:28.926{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34C6AAA29BDF8D5DA1241EB29DFB425,SHA256=1BEED894F25D715F37A99B87FA700CEF63FE37D24453155873AD4466A5A75AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:27.290{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50951-false10.0.1.12-8000- 23542300x8000000000000000275452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:28.727{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDF9B403901B2CC15AC562323802B311,SHA256=44FD268979E257A4B97D380672B2038472A490360AC634E4AE09AE3760BB6802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.973{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F58FB069EC97FF9EE5FFBF2A32E38F,SHA256=56DEEDED01B558AA9EDB5DC7CD27A982C8F710818C2D9348EC3943AF9EAD43C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.307{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-F251-62DF-3F04-000000006F02}7088C:\Python310\python.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.157{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F251-62DF-3F04-000000006F02}7088C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.157{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.157{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.157{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.157{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.157{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F251-62DF-3F04-000000006F02}7088C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.157{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F251-62DF-3F04-000000006F02}7088C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.165{F81F30E6-F251-62DF-3F04-000000006F02}7088C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython h.py 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000052247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:30.046{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C257BE340C682E69F4A4219192B051,SHA256=310DE161DB2A86A66ACB329359B12BF838A6A41B8C445D32E9F804E5D1ACE1D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:28.113{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64862-false10.0.1.12-8000- 10341000x8000000000000000275467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:30.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:30.541{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:30.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:30.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:31.140{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8665010569761A5C200CC2A8D39F8FE,SHA256=5BF12583E2861817A6833FBAD59F029C5BE0F09F3EA1CCCFF1CDF042AEAC2606,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.681{F81F30E6-F251-62DF-3F04-000000006F02}7088C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64863-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000275473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:29.681{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64863-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 23542300x8000000000000000275472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:31.689{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AB1936C98B84B9842C2F45688E8DA499,SHA256=21C9118004A0DBDEEB471CDCEB03A3A0D98394C28DC7CF87E58BB045850E29CF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000275471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:28.315{F81F30E6-F251-62DF-3F04-000000006F02}7088win-dc-ctus-attack-range-5020fe80::513a:aaff:ea8e:f17;::ffff:10.0.1.14;C:\Python310\python.exe 10341000x8000000000000000275470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:31.327{F81F30E6-D98A-62DF-2B00-000000006F02}26561432C:\Windows\sysmon64.exe{F81F30E6-F251-62DF-3F04-000000006F02}7088C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:31.027{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E0628D5056510CCBC578FDAC2EA143,SHA256=FB63BFBEBD903CC2947FE9C0F97034295653709176C1707898FBCBB09CBDCC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:32.234{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046D8928EE36B5250A38A7A828EADED9,SHA256=36161A0198759D84F0F9E61E35A1BCBC4198D4E4DF40FFB31A1F256964F2FEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F254-62DF-4104-000000006F02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F254-62DF-4104-000000006F02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F254-62DF-4104-000000006F02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.927{F81F30E6-F254-62DF-4104-000000006F02}7372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.426{F81F30E6-F254-62DF-4004-000000006F02}72241196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.241{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F254-62DF-4004-000000006F02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.241{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.241{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.241{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.241{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.241{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F254-62DF-4004-000000006F02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.241{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F254-62DF-4004-000000006F02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.242{F81F30E6-F254-62DF-4004-000000006F02}7224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:32.058{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F11069CB1946CB565974E841073809A,SHA256=919B8D97EFCF26BF4E2FFCE1F7C93300451B27876E7EB8208AF1CD2529684D75,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000052249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-SetValue2022-07-26 13:55:31.999{53069400-D97D-62DF-1400-000000007002}708C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8a0f7-0x5f14e20d) 23542300x800000000000000052252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:33.984{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DC5773A62CC8A97D22833C520AAAA81E,SHA256=E7851D47DC9A083F69C411200BC10E58894C7D291A1ACB4D130B1CF75D23604B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:33.327{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA65C0667FA66F938A2C8A5F3D1E216E,SHA256=DFB9D6C71E5E270C24A2ED7D937B213F47AACF76F3DD375B9D47FB9F358638A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.588{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F255-62DF-4204-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.588{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F255-62DF-4204-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.588{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F255-62DF-4204-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.589{F81F30E6-F255-62DF-4204-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.089{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32221CC1FB0E96E5B50BC92B40720E7,SHA256=610E77ECCB832419A69473132EED472C2F1260622B321B395F956700ABE11B94,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:33.259{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50952-false10.0.1.12-8000- 23542300x800000000000000052253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:34.421{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77103ECD727E6928E5A5193C76C6B202,SHA256=A9E4FD59BD127644B4A99ADB27D408862A740A543420C00D27FF5567F46EEB5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.957{F81F30E6-F256-62DF-4404-000000006F02}45202468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.773{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F256-62DF-4404-000000006F02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.773{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.773{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.773{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.773{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.773{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F256-62DF-4404-000000006F02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.773{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F256-62DF-4404-000000006F02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.774{F81F30E6-F256-62DF-4404-000000006F02}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.726{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B7145DA177F2FBD5CCCE3F7284DB4405,SHA256=D618124EA1EE7BC841DD9E028B3538B3BC72A3602222B4A998EA799CEEC91774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.673{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3031E95C82040DE3C570CC4510623CAD,SHA256=A3E66E6DB50F00CB74A518B962102FACBE50BA322062F6B17460DBC2E5AF8F9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.510{F81F30E6-F256-62DF-4304-000000006F02}75282408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.272{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F256-62DF-4304-000000006F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.272{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.272{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.272{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.272{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.272{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F256-62DF-4304-000000006F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.272{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F256-62DF-4304-000000006F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.273{F81F30E6-F256-62DF-4304-000000006F02}7528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:34.141{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92237FE76C104D3AC329822C0BA159A8,SHA256=8E9C7CCEB74F533741C6900B2F14D62C30B163C6073C8C94BDC7DBFF2B730B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:35.515{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E30542A093653C727306887B45E8BF,SHA256=86197AC2D5CD22E49A5AEA40B686987071131D0C74925082409C7B09105F77EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:33.133{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64864-false10.0.1.12-8000- 23542300x8000000000000000275542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.678{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\e57grxtg.default-release\cache2\doomed\11522MD5=3D78C65E9CB6257223972FC7590C78FA,SHA256=6BBCD467FD3271D66F68C5DCA667818703A906B7E5867FD63A5847DC7F59C293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.578{F81F30E6-F257-62DF-4504-000000006F02}80365892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.415{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F257-62DF-4504-000000006F02}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.413{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.412{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.412{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.412{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F257-62DF-4504-000000006F02}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.412{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.412{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F257-62DF-4504-000000006F02}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.411{F81F30E6-F257-62DF-4504-000000006F02}8036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.173{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074C08FB8A93463E04DA7CBC6A20818D,SHA256=EC1D5E056667B9FCC1EEEC32AEDEE91CAFED1E492D87602951C497E3636C7931,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:35.026{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:36.609{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C074349C1A28235CBBDE97DB364E08DF,SHA256=6FEE110D0DBA0256178AEA7128B4C83E50A267327373C919A18AB1D1C59D01F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.294{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D17583F158D8ECDE4507E7A0215B70,SHA256=96D5371FBDC56F86A4635C911C0A2C7457BC826138ED49376149B1C78DBB81D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.013{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F258-62DF-4604-000000006F02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.012{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.012{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.011{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.011{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.011{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F258-62DF-4604-000000006F02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.011{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F258-62DF-4604-000000006F02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:36.010{F81F30E6-F258-62DF-4604-000000006F02}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:37.702{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD84FDF377D1CF68DBE936324A95C22,SHA256=920A7F523385ACB50293ACF363A2628457D881A8582BE3D04DBD26E94FD83674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:37.346{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6640BB1789A3204D108A6CA19A5865,SHA256=77F6B84FF588E58D6A564C1258EA4283BAD7ADF3ABBE2668E80EB210F94AFCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:38.796{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB05182FFABD346485AF78CA3728112F,SHA256=D87B6F72965F247D5CC13FCDB79A6A5DA1DBFF005A85A3F1406AA5843A81F290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:38.392{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6631E9E4766B963B2434261BACFD458B,SHA256=E35E0F9D050B25F9DA09F571FF04F19C2C19309AE4A7E981F6633D22CB4A6C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:39.890{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBC25EC9BEAA69034C29384ED4F73CD,SHA256=75610E120CC7527382C9018ED8367095F68EA6BF6443939A001977E86A4FBBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:39.528{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F41416CCED7CC16CBEC1BD0D4DAB92,SHA256=8DE0B87C15152866AC3E5FC94ED520232446292E64A06575526E640366F3753C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:40.984{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A457829B9A034EA4E71CF88DCF37A4C,SHA256=E474898046BF271DF3FBB5A61C70B98412B259B28D40C06454534A3134B383D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.644{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CAEF850902A8A4A7838244D21A618B,SHA256=35FC48CA53A67CA161D0AC6ADA9B52B302B74B8412CCAA3EE616F917E506E2EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:39.196{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50953-false10.0.1.12-8000- 10341000x8000000000000000275564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.460{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:40.429{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:41.890{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+1e41d6e|UNKNOWN(00000034CA763342) 23542300x8000000000000000275566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:41.690{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FB83E6E1D091B125026D7C4FBCFB82,SHA256=775C3176B556F95EE790BB1E434913B3C3697360267C38D4A6D8C3E7E2A92E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.829{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF81AA1A54D593E6C5F17C919FB87AE9,SHA256=76D1F813D33A53024A27370A660E2316722CF6A9A5408B4B2B1925BC49695838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:42.077{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928FF6E6B7F0AAB1F341E5F47A101612,SHA256=C5E2F760F7EF9B47072ECC4BA7D68EF4D7C19670ACD1D3345E42F4EC3FEEC6A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.560{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:42.529{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-D9FD-62DF-B000-000000006F02}5668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000275568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:39.128{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64865-false10.0.1.12-8000- 23542300x8000000000000000275579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.946{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CA58122CF4EA88C5C0852B4E5FBA12,SHA256=5FD1225D1AE7DC205804CAF061EBE326F53BE57583311822A39A2326AEFC1668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:43.171{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB3C9D6E890AB2E79548186CA17646C,SHA256=458232939D6743444D34D361BC3E65462CFDA66E3FE0435B8EF4197DD9492C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:44.265{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7D626FF0BB9D0E7961ECC0515BE77B,SHA256=F9533A4610BB0FD3190917B250E99785ADA2090C4B60AD820899355D652BD7C3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000275584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:55:44.629{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000275583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:55:44.614{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000275582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:55:44.614{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000275581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:44.609{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:44.609{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:45.874{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:45.359{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31049B2755A08704A758DA1456FACBA1,SHA256=60740A0B75ADBD0E6F708F626B63C42211ED8C3F61CDD09B86800C22573A0A4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.462{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.462{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.462{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.315{F81F30E6-D97A-62DF-0B00-000000006F02}640692C:\Windows\system32\lsass.exe{F81F30E6-F261-62DF-4704-000000006F02}5596C:\Python310\python.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.112{F81F30E6-D9FD-62DF-B000-000000006F02}56685648C:\Windows\system32\conhost.exe{F81F30E6-F261-62DF-4704-000000006F02}5596C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.108{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.092{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F261-62DF-4704-000000006F02}5596C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.092{F81F30E6-D9FD-62DF-AF00-000000006F02}56765672C:\Windows\system32\cmd.exe{F81F30E6-F261-62DF-4704-000000006F02}5596C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.105{F81F30E6-F261-62DF-4704-000000006F02}5596C:\Python310\python.exe3.10.5PythonPythonPython Software Foundationpython.exepython h.py 80C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B1E4A59F3F1C7B6F250319D58798D3B9,SHA256=0467DF606D98305B25A040E051CF8876A553A61DA1031E51E6E77B15FB18B964,IMPHASH=4532ED405F27949E7A9CE4879FC06EC9{F81F30E6-D9FD-62DF-AF00-000000006F02}5676C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x8000000000000000275585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.077{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8636010087619CADC3B9540BB857104,SHA256=4005EFE243C299E6B73C9C6DA40C291D686D22402ABC8785D8C96FFEA4E7A6E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:45.118{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50954-false10.0.1.12-8000- 23542300x800000000000000052267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:46.452{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C070EDDCACDFDFC3A5A4312530BE2786,SHA256=ED2B625EC9FD51F983CEA2035D251F7ED2911E8C601508790AF0668796554F59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:46.477{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:46.477{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:46.293{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:46.293{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:46.293{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:46.193{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBBEF20BD13DECFA8C6484D0AE75608,SHA256=7056D41549AE0FE9F46988C1B15CA130F2811DCBE0679C8C10F6B4361B67B22A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:46.193{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=320A5E44F9C9AB80D6980B2EB4B8D5A3,SHA256=1A9BB4A45279C8C18D6E9B3C20B688CAF82F320673B4FA7CDCAD7069A97B614C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.641{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local49757-false10.0.0.2-53domain 354300x8000000000000000275601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.641{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55400- 354300x8000000000000000275600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.641{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local55400-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 354300x8000000000000000275599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.618{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64866-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000275598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.618{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64866-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x800000000000000052271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:45.930{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50955-false10.0.1.12-8089- 23542300x800000000000000052270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:47.546{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F24F7B295FCDD82960229AEBFB0EDDF,SHA256=900356D024199328C9A338138452B4E2EE11862D31756AA9DB3ED7F9C7132315,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000275617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:44.324{F81F30E6-F261-62DF-4704-000000006F02}5596win-dc-ctus-attack-range-5020fe80::513a:aaff:ea8e:f17;::ffff:10.0.1.14;C:\Python310\python.exe 10341000x8000000000000000275616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:47.675{F81F30E6-D98A-62DF-2B00-000000006F02}26561432C:\Windows\sysmon64.exe{F81F30E6-F261-62DF-4704-000000006F02}5596C:\Python310\python.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:47.213{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DC06A0B1531738318B0DB4B702080A,SHA256=12F8AD41820125116739F035966B515134E97D75C5D9EDFEC5A92C13B7EA8733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:47.265{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8C5F74C40D7BD82154A6777BF5684428,SHA256=267364466CA66907F2BE61A9E56DB3933FD5916583A0E889251A7588F1390052,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:44.471{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64868-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:44.471{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64868-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:44.139{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64867-false10.0.1.12-8000- 354300x8000000000000000275611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.643{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9860:88a4:89ca:ffff-54314-truee000:fc:cb4c:8974:2430:8364:2428:49-5355llmnr 354300x8000000000000000275610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:43.643{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local54314-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x800000000000000052272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:48.640{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0EA30CFEFABCF2ED2C864175FF9973,SHA256=8F5248A2AA568787742A0AE9DD5DCB1132D91596589C8FF5F168D9B79E1BA81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.874{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.810{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.810{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.759{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.327{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.327{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.327{F81F30E6-D9BD-62DF-9000-000000006F02}4688172C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.312{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.312{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.312{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.312{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.259{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E99AE4805F828FF9262D9FBEEF18A4B,SHA256=171CB01FFD4A959F37C42EE33DC6F016993C63DCA3A3AD318F16B9F2A5215F65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.175{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.175{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000275619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.301{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64869-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:45.301{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64869-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000052273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:49.734{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585E16082254FA5BEA67B15C36122F28,SHA256=BFD9CA0AD57888D8454158B37EFAF819ABCD586F53BA4B2F8CF11C7773884245,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:49.458{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 23542300x8000000000000000275636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:49.275{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3358672F9A61C0D6B857F6F398D035B,SHA256=F779EDDB15B398B30DBA3682C9FCABDCF07F5FF9ED7C6BAD7BA3A67607A1BE69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:49.127{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1600-000000006F02}1312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:50.827{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C81457B0378BE7DFA9D4184AEE68FC,SHA256=56DF65021C34419B919C0B2AA2DD4DD67AB6B74EAB6CB001FD8B5328ACEF0FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:50.326{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C1A1567AFB8177ABE328A25D6BF4E9,SHA256=FA3ECF85EDF6711FC631B484EDD9E9AFCAD15E52C10A1B0F1F761AB14178F462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:51.456{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5700D980B9EB441E794F7BA2EE03BA19,SHA256=4F3C8CA43B609110A53E81766912622C5EA650DA34B22821E28BF446B784F219,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.138{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64871-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000275640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:48.138{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64871-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000275639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:47.867{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64870-false10.0.1.12-8089- 10341000x8000000000000000275646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:52.806{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:52.802{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1100-000000006F02}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:52.486{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6185602D9B2EC5BDFB06ED17A94FE92A,SHA256=D61ED0EBE01CDA97FFCC8155C913EED3B8D4F6475B43694089C387ED4B1BADE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:50.243{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50956-false10.0.1.12-8000- 23542300x800000000000000052275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:52.031{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFCED21FE246AFC2B2A56F6FC02ED75,SHA256=9AF7C96C20E9A87AAD342AFF5357CBB23BAD6BDBD79FA0DE829836992C26432F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:49.213{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64872-false10.0.1.12-8000- 23542300x8000000000000000275647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:53.585{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796E5CCCC9B61BF8A9F6971092455D57,SHA256=9D168F3DB8ACCFBD902D8378D97330405DB36760FE7BC9361675D4EADDBAA768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:53.124{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11523AEC0A2DE1919BC223F4D9D8E27,SHA256=257CAD9BCFF1B5D0DAF815B9171E354C5404109CF618611003BBF131D2E3C0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:54.703{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A501B48FAAB393A9E84D3C6AD517DA5,SHA256=56DA2D4945145474BF264263492CF9D6EBBC2A7D926B95CC89AA5A3C695B72A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:54.218{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EB85D73DF56E694B2E914F9563004B,SHA256=FEB09E6C83A8B7307D7514E6E32C4FAD9884B716B45186F3E793096F9BFA66AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:51.813{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local63106- 354300x8000000000000000275648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:51.813{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local63106-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 23542300x8000000000000000275651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:55.751{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59D89B786979A61D67472EE6C96A864,SHA256=05BD2691161DD989993E96A52286CE1AEAE208CA56CA6849E359AFB85D243FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:55.312{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94BAB6011751B2472A3DE837F098ACD6,SHA256=0C704F973C32B6DA72F15D102B20D0C73A87709C779F442EAFDBB7756C5DC488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:56.800{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A2F3520DE9570D758C44049D039028,SHA256=4285B0C94BFCE172FA180177FCD0D542536688F904FE252DB44D11C446B002A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:56.406{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE62D2399EA8D14325FC58C1C0A97B31,SHA256=A1A719CDE23BC5718DEB031EF0980498561DB8F8D9C53EDBA48D7F800F0B0D40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:56.404{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000275653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:56.404{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:56.404{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF61799d.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:57.819{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D868281B9103FFDF1C8124BBD7CC3E13,SHA256=7D3D8580B7B8939EA0D1D21E429E91575C43218D0EE5DC3E818BFFAA2B8617A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:57.499{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94209F6E40C7A0D830453B59A8BADC56,SHA256=F0010074BD51AD8D8C8845D86AB149B5D5A80F7EA8F3A4605414AFC5CD439FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:57.466{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=D36D5168F67FBD3F85C471AF93D45F66,SHA256=EDB8874C1B27239B1103F0CD0CEA5B1BCE56ABA9AEB83995E29B881F1D6359E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:55.290{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50957-false10.0.1.12-8000- 23542300x8000000000000000275659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:58.934{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D271D8885A09B0D4A75A91B81A2FB21A,SHA256=5117B162B3AD1F7D0E22CD056719C66A9E748D58FF7D0A4E4569A757F9967747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:58.593{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697F88095D47AB1AE4EDE1FB71C29B2A,SHA256=E5B32C61420A47180AD9A1AD25F75B1B35D4DA2EC75E71ACFBD7D327F9A4C5FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:55.091{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64873-false10.0.1.12-8000- 23542300x8000000000000000275662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:59.964{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE31542A2E8EEA1707C4B9D1912EC98,SHA256=F96F1609722D62231AFF1B8BE4A14807AF5B32F0AA8EC93F47525DFD5056D11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:55:59.687{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0094A77B78C5E2DE3CC20099B1FB803D,SHA256=CB36D595878E1BEBD81413C4C4E4EAFE6BF8D628AA2866777124969C0591EF59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:59.334{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:55:59.334{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:00.997{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC816D94863B377637B3953B8C180E80,SHA256=711E527DDC49F62921F813B14FBE2CA362EC94F27601E22CB35E61F5F35BB5A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:00.781{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81A0EA00EF8D3A898224DB1100864A7,SHA256=6A456055D74D5EBC56A8B2507D439E65C6E58B255CC92A7C0DA001D2F5FEAED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:00.917{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0E9EA851BA2701B001EBC802EC2310EC,SHA256=42EF2966E6F6E51547426FE35A1166B5856139D623196191CDAD450D683935D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:01.874{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82D1B423F7038CBAC02F4E2AB911500,SHA256=CFF845B70CF632330E93BF1A46010FC60B7BF4FF38FADA53204FBE1D92053D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:02.968{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11842841CB15A142B6F4C1FCAD8CEF79,SHA256=6D293A16E6DB9C26251A433AEC032AEC5115D835887838FBE67567FCF301CFD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:00.156{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64874-false10.0.1.12-8000- 23542300x8000000000000000275665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:02.047{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785F1D4061FD15D33A6F669CC29019B6,SHA256=CFC78C66E54FEFFBBF4467E7E3712810BB60BC92922AFDBBA24357B1BF540877,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:01.305{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50958-false10.0.1.12-8000- 10341000x8000000000000000275672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:03.847{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:03.847{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:03.747{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0746CA1308455E3C018A28A7F8C8ABB7,SHA256=30825783D591AD695168C37A8490254DA5D7181149134597ABF394314851A2B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:03.296{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:03.296{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:03.147{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3DC4327A07C021A6EA21F009B84112,SHA256=DCA0BA015BFF0EF338D8418109F8143F5711C44A6E1C13D98D40E09B54959CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:04.062{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4C99735BEADD9DC6E3A65BF6F8F1F3,SHA256=AB07C843DB880FABBBE9A542BD0292CB9EC23D5FAD684C4BE8DAF37BE32544E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:01.655{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64875-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:01.655{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64875-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000275673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:04.278{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0238CC479E037722016D85296E9DB3C,SHA256=8BB740A3D00639D8A0644496F79BF220B5CCC73DC34D877D3D8DA2F9F3B47A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:05.532{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:05.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD97B13BD2A5F53EB292137D8D510C5,SHA256=CDFC160C3922F4064F5EAFC1A57B3C899A3914F128E07167526A9C4DCF16C2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:05.156{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8283034D4938314BA5269B0ADC5EBC,SHA256=A65BAB8781E07AD46CA1E2C7526423B6733384A55EEF6E678F7B289484DE6D16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:05.117{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+1e41d6e|UNKNOWN(00000034CA763342) 23542300x8000000000000000275680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:06.335{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B846DE332D6FF1EC4DAA463F929603,SHA256=FEC8E684C134164F805E874A4381271C9728C6428406625901B883FE0CD4E46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:06.249{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640C2CE36F14BD6EDB13BC8C13639FD0,SHA256=4392331D93B60EB628BD9DCCA545657E061E77048ACC24A909EA117235B4BDA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:06.262{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+1e41d6e|UNKNOWN(00000034CA763342) 23542300x8000000000000000275682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:07.456{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F2F623B17973DE7A1696A0433E70E3,SHA256=A00729AE6AD8F660025CEA14B2C3055505B81FB8BD02C775F6B04464B96DF734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:07.404{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:07.359{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBD733DFC753C1268225E7245B781C4,SHA256=EEEC388468DA9FD80A10F74541E721A2ACA2B5FC78E490BE9CAB6360175AEBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:07.072{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50959-false10.0.1.12-8000- 23542300x800000000000000052293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:08.452{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0188E1F97CF9F3B9A63B7FC2F97DDB82,SHA256=1E5479999EEDB80C59487A8E57F6B6C288A31EF4F51E1F46EFF53FA78D048215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:08.923{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:08.923{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:08.504{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF336393CDEBF72863422E2E53DA3398,SHA256=EA5671F586C6D1362B845BD75E40F00FBA711E5D2CA5CC5A8AA965504E53B7B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:06.110{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64876-false10.0.1.12-8000- 23542300x800000000000000052295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:09.546{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7192427FD562822A7357293B78E8EFA1,SHA256=8644E7AA34A196FB5950EA796B9C7AF5E6ED684B273EC708418DCE5026F4E483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:09.553{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393869CDE5389B8BCBA2047C23672744,SHA256=49F24EBC509937E6DD6717E510582E91A44210BF8DAF84E2F04A798A84F7F106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:10.640{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C320F49C1ADE36EB545EF9E424F793,SHA256=98FE3939A65365D48B102FFCECF1976E15EB9B32E03D32C8387CB744DC9A7B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:10.601{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07F972B3B30ABC6940F90D98A74D1E2,SHA256=0BAE543DD646055CEB5F8DADA57D0F81BA7D6961EA37F593143BB02FD6810297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:11.734{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EA487A0127ECC53826158F17E35561,SHA256=3F8728CC47E6F46F029DA63266145641B5254E6EB812AF4FAE48B13DDA6C546C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:11.640{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FEF41867107DBA1809C9F045B90FAE,SHA256=B7324D162C0CCE6AB3F80D9D4CF9D047D328065FDC42B49EC6845EC61725A303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.843{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9DAB9F37FD2D9776E0FF54D15C7AC5,SHA256=90F2593A728E5042201FE0BD215B05FD87E5CE55D845406940BEC8D05B2B450B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:12.786{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F48EDC7FECA3A6418DB8F4580B693F9,SHA256=69EABB05C23AC65949356B3473453BD59C1436458E0EADE32DEC62A7B4840841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.562{53069400-F27C-62DF-6303-000000007002}9724036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F27C-62DF-6303-000000007002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F27C-62DF-6303-000000007002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.374{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F27C-62DF-6303-000000007002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.375{53069400-F27C-62DF-6303-000000007002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:13.822{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4367B159EBCB689E022E42154178A21,SHA256=47DAB778366400262049DA8D3A5004525C2A75529684EE66671C9DBFDF1DD326,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:12.149{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50960-false10.0.1.12-8000- 10341000x800000000000000052341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F27D-62DF-6503-000000007002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F27D-62DF-6503-000000007002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.570{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F27D-62DF-6503-000000007002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.571{53069400-F27D-62DF-6503-000000007002}1212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.474{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-103MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.438{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=967AE2678E276D3DC2F89244B2CB5016,SHA256=A30EC99CB51D39A6D235E2BF250F9791DB7671ABE2A961950E1E36B2A2E42266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.282{53069400-F27D-62DF-6403-000000007002}8681064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F27D-62DF-6403-000000007002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F27D-62DF-6403-000000007002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.047{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F27D-62DF-6403-000000007002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:13.048{53069400-F27D-62DF-6403-000000007002}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000275691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:11.148{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64877-false10.0.1.12-8000- 23542300x8000000000000000275693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:14.854{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B5A0323A24494FD21737C171D23F6A,SHA256=4AC2360001B7AAF363EC0C974CB575216A4CD0FFACF8935E63FF17B95F9F72AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F27E-62DF-6703-000000007002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F27E-62DF-6703-000000007002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.912{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F27E-62DF-6703-000000007002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.913{53069400-F27E-62DF-6703-000000007002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.477{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.398{53069400-F27E-62DF-6603-000000007002}612940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F27E-62DF-6603-000000007002}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F27E-62DF-6603-000000007002}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.241{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F27E-62DF-6603-000000007002}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.242{53069400-F27E-62DF-6603-000000007002}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:14.038{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5063BA58489FC67FFFF83C66A268D890,SHA256=498B49255D70003701CE3916367C60B970F7C9602837C0182A89BBC96BB07510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:15.984{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45E08F66AB1C108A671C16613B22550,SHA256=BF7161E24FF0CD7D4CDF449160336A2448C03ED53FE7CB27B72D92235ED2114A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:15.354{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F27F-62DF-6803-000000007002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F27F-62DF-6803-000000007002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.573{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F27F-62DF-6803-000000007002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.574{53069400-F27F-62DF-6803-000000007002}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.386{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B973DFFBB2AD5C64F06656BD04C62AD,SHA256=94D32836251A175E81D88EE6A13AC0375419F33DB29E01AAA7B1AC6C33275461,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:15.105{53069400-F27E-62DF-6703-000000007002}34961040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E122CA1100C498A6330039CBA2DBC49D,SHA256=5F82AFE6F3DECD29FD5C489EF7DF03B0D015F09E22765FF2F6982920C296BD99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F280-62DF-6903-000000007002}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F280-62DF-6903-000000007002}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.073{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F280-62DF-6903-000000007002}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:16.074{53069400-F280-62DF-6903-000000007002}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:17.608{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:17.104{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99AE22F3391B061D0CD3339BBBCE324C,SHA256=12A41572EC40E12C2BCC33E5E28D6FE203D1588AFAF637BAFE121B4972472CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:17.448{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=016F55C7C670FB6CF945115BA1C53DDA,SHA256=84633CCFBC2AE4BF8B85787D7AFBCFFEB1F1C647E4984B9AB73CD4722F4C374F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:17.245{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21EB7B289D94136BFFC7B7A6B888CEA,SHA256=84714939CEF4062A7BD5464785B09C57332B6A5ECCF44A074CB2E0C9AD75A20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:18.339{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D740DCF5C49BB75C1D0ADE3B415CCE,SHA256=888D1AD92C62F55D81FCCEB2187D002DDFC0664C14D497C69DF50F1D0FF6C5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:18.203{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE82496031F71706B4E88072AA36FEC3,SHA256=6DEAC30D0C2EB8789C4F9FFDC3F36130FF254965C66B58BE127B7A487295F484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:19.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F5F857F12311D8F4B543687EC85594,SHA256=98E64A5838C63145BA19AC7C8F356F8AA531E90202AF1575C9A8F904C8C7812D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000275702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:16.673{F81F30E6-F163-62DF-1F04-000000006F02}2264datagroup.ddns.net0::ffff:127.0.0.1;C:\Temp\dcrat.exe 354300x8000000000000000275701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:16.685{F81F30E6-F261-62DF-4704-000000006F02}5596C:\Python310\python.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64878-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 354300x8000000000000000275700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:16.685{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exeATTACKRANGE\Administratortcptruefalse127.0.0.1win-dc-ctus-attack-range-502.attackrange.local64878-false127.0.0.1win-dc-ctus-attack-range-502.attackrange.local80http 23542300x8000000000000000275699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:19.254{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57DC655020FBD8DB4851E6359374930,SHA256=E0930546CD23EC32C16580D8E7334314B8A94BEDDCF3605BFD1139F233D04218,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:17.192{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50961-false10.0.1.12-8000- 23542300x800000000000000052406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:20.526{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDFCD05D9FA0989F9B7FEEDF3CF8E7A,SHA256=5440494BD65D4ECCC0C74C055BAB47858DAB77BE540414E755495406CBDEEC56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:17.148{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64879-false10.0.1.12-8000- 23542300x8000000000000000275703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:20.275{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8555AAF8234E8AAC5D9D9C4730621C6C,SHA256=B0E69318A0A28458169C2FA3118437771657FF9D2CB5B7417D3A3F7F6C7D9657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:21.620{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51001A32B2F7938ACF0D9508760DF05,SHA256=BB59F6BFF0D82E4827F567D726CA94C6ED8987FBE666315CA02D91DCA30AF750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:21.382{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C46B42EBBD660A6E3D87819024E8DC,SHA256=C3714852953FC45C1D03465D767E1D1089A978CE923A39300B2B8E8DA3CC34CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:22.714{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B92AA71D12B100C1F7A358BD69B1F8,SHA256=089B386EFC156776D98981EEF7C661FA8ED0CAA302A724756F2348C990647FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:22.414{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC09EF2DD6363B222DAF4D9DA4FB3DA2,SHA256=A4A8A817A4E9A4A45888A87A3FFD1517A1072FD3D7E67E171E63BFA95887F71E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:23.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ACCC7824A1987F25EA64B08D21517B,SHA256=04DC84B6AF3DC7D8EA8EE6105AFF03FB30D7F4E02D79E20ABA4E6E44218ABBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:23.449{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4914DBCBBD47E157B5A0F9B82D4FBF,SHA256=E7D3B6DDA5ECE9069192FBDCD83A4D0E2BE668E02A79AA20A6A906CBAED8C340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:24.901{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DC714F62AF342694473B0CF43B3788,SHA256=1D210D3C581E9BBB2A7C4452B1C1EC229097D071A7F3BE40566D3F1272677F8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:22.191{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64880-false10.0.1.12-8000- 23542300x8000000000000000275709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:24.595{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2192DAF4C71708169900CF23042CB95D,SHA256=08EAE2816EC7AA235007B28BC079B9111E5A7BCF36E2A8629A148135BAAB2C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:24.148{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+1e41d6e|UNKNOWN(00000034CA763342) 23542300x800000000000000052412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:25.995{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B551ACFF224C838DD1A11A31E10B9E8,SHA256=73DAD08CBA662F42FE594C6D77C3286EB3AAC02B23AED338154AF957DFB43F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:25.633{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E439816666ED9415ACD776FAFDA0D82,SHA256=8E203EC1D32ABA322601BD9198D4C8E774E0E1A9AAB0DBF9CD38AAABE31DCF6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:23.129{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50962-false10.0.1.12-8000- 23542300x8000000000000000275721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.679{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF3AA58F2412E2B784BE7BD4BA8F3A2,SHA256=A17FC4D2938A56CF4C2731CD4C64A973948A9F95F83C8FEB2DED581045C9FE33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.080{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884712C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884712C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884712C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:26.048{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-EDDF-62DF-9C03-000000006F02}928C:\Python310\pythonw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:27.696{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64615730682432252E6B79304940E948,SHA256=3581EAE7189F3CAA3F4AF0ED65F98ED62E62E173B20BA24D40592EFD47864680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:27.089{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69CB07521DC2263D878B88019A7835C,SHA256=E7CAE7F81587BF670C1E6EC790AA8E501D515BA68C1944028D9F56F3E4C355A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:27.665{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-103MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:28.811{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83E4D772D69E836EE1C85079E1FB3BE,SHA256=EFBFB575388DEDC7EBD1C1CAEF7892312AF87E112F67C687CAA9006370DD4D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:28.183{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E35D59705A83A9463F5D95074F1637,SHA256=5DE851E308A62F8A62B5F784E9746C97BD1919B27E2EE0E7B3F438AD2BDE13A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:28.679{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:29.837{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3F30A4A6F4558A6AF18F9E94462E48,SHA256=D9E0B7EE0C933A8CCFD43BCA2D8C0568E5AF0376472F5E3C2B074EF1858C33CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:29.276{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2359C3AB33EE7556DD889372FB2BA7,SHA256=C1267B11157FE98990FFF1847B65D89D8BD129FA7CCC33A090A95A611AC524F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:30.882{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBF3239B14CAFA7263FCEA3108691B1,SHA256=14B95C0CA935623D4ACA35A498B9D76CB6F39174C08E90C5ECD1E4D39CCF842F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:28.176{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50963-false10.0.1.12-8000- 23542300x800000000000000052416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:30.370{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1611E7FAE242163CE33E3C23D87E55F4,SHA256=2DDEC79F70C8B24A05BB85BE9805A77E06651433E49CD00546D09035B1481061,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:28.140{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64881-false10.0.1.12-8000- 23542300x800000000000000052418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:31.464{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F51AA40BD8685C18BCE497F50A6646F,SHA256=E8E2AF737B845E1623DA3B63B57C7F82305C1FC65821BD960B161BFE02D68C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.251{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:31.151{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A85700E8532BC08360617B589F3C2E44,SHA256=D39C4B07D7A38B1F231FDC5D84A0D934998634A61C8A4032116978129B5C31B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:32.558{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D24EB9F8A62A2A53659C391D521BE58,SHA256=7F9FF48FE1AE68D4D7728656ADBEC2E66911C76E8E6C958FFF32D75DF497DF13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.917{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F290-62DF-4904-000000006F02}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.915{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.915{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.914{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F290-62DF-4904-000000006F02}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.914{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F290-62DF-4904-000000006F02}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.913{F81F30E6-F290-62DF-4904-000000006F02}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.397{F81F30E6-F290-62DF-4804-000000006F02}77365716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.234{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F290-62DF-4804-000000006F02}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.234{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F290-62DF-4804-000000006F02}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.234{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F290-62DF-4804-000000006F02}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.235{F81F30E6-F290-62DF-4804-000000006F02}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:32.014{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26938924CAA3A0F24AE2114B11D8AE80,SHA256=0D91096EEED179979612DCE90A46F7149DF9FC20AC65DD9B3FB08EAFF3A4F1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:33.995{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5EE77BAC59A1FB0AD9410E6B0B5FE5F3,SHA256=20EF07900AB9CAD205879388BC8100045D7D786801A59C042CF82670FA5098D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:33.651{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1183BC17F05F232C8FF48691E70721B4,SHA256=5791EDE11A7E98502840D987B190D8E959121EB75B624FDD5D7C3B2D89409379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.589{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F291-62DF-4A04-000000006F02}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.589{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F291-62DF-4A04-000000006F02}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.589{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F291-62DF-4A04-000000006F02}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.590{F81F30E6-F291-62DF-4A04-000000006F02}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.315{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40348F86C12D4C1604E6E36A995B3416,SHA256=36D8EBFC5CDA7FC2362A4E1D8B189D0B5328B839F00F3CD71DB4101D697CA258,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.081{F81F30E6-F290-62DF-4904-000000006F02}43126192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:33.066{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8D8C36739E2805B0149A5B12AC613D,SHA256=9C0A148CC6FF037463322C14867A9C2E11ADF0AA22C34FD3F5ADF2E607B18A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:34.745{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41056874ACC3627BC4771FCE88F8B236,SHA256=9E8C009A80DC4476B8E24B11BAEEDB2CF55298B5EE4A73159ABFF2E7C390452F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.924{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F292-62DF-4C04-000000006F02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.921{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F292-62DF-4C04-000000006F02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.921{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F292-62DF-4C04-000000006F02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.920{F81F30E6-F292-62DF-4C04-000000006F02}1696C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.742{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8EE7BE073DCEEA316EEF10D0D0AC49BD,SHA256=A24DCAD64F6A887BD974C995D05EF4FDB5627A7E9230DD036F2D036C84A694C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.473{F81F30E6-F292-62DF-4B04-000000006F02}75964884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.258{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F292-62DF-4B04-000000006F02}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.258{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F292-62DF-4B04-000000006F02}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.258{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.258{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.258{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.258{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.258{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F292-62DF-4B04-000000006F02}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.259{F81F30E6-F292-62DF-4B04-000000006F02}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.142{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B32CDAF94FFDDE20E99B110B599A847,SHA256=D766D356A06CBDFF1EEEE13C8D8AFE0EBA182E61A159A0A6A2CCBBB6B99E856F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.023{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=D1B9E951F021AE9CF2811E812FDDBD98,SHA256=06B02702DE12684CA17170EDC63036EF3650F5C52E854252FEF835500F98D732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:35.839{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4E8238EDE41E1794369ABD52BCA43B,SHA256=3AE10580D0E189113CB072FEF783D30B06DEA2F3E7D9E79534429EBAE62FC72E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.772{F81F30E6-F293-62DF-4D04-000000006F02}52282616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.588{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F293-62DF-4D04-000000006F02}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.588{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.588{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F293-62DF-4D04-000000006F02}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.588{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F293-62DF-4D04-000000006F02}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.589{F81F30E6-F293-62DF-4D04-000000006F02}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:35.273{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61761672A58ABACFDBDB99266CE7133,SHA256=69F982DCFF4282233883474DCF27A8BA8A5CF44AF0B014C1D00E939E1E729C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:34.192{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50964-false10.0.1.12-8000- 23542300x800000000000000052428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:36.933{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A7C1853A5600626BCC71133A5B8C12,SHA256=D188C851C3ADBAD486AD988F2339CCD51280A21B9161435786C5DA4B73366B27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:34.083{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64882-false10.0.1.12-8000- 23542300x8000000000000000275833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.324{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153235F6867B447ABFF97B70A3317889,SHA256=3A1B5CDB8F4FEA01D7CA03B864FC88FF7C799435DC5E8DB85911286510AC2CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.256{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F294-62DF-4E04-000000006F02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.256{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.256{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.256{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.256{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.256{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F294-62DF-4E04-000000006F02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.256{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F294-62DF-4E04-000000006F02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:36.257{F81F30E6-F294-62DF-4E04-000000006F02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:37.470{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE4CCF4F8828C2A89EAA39855434B79,SHA256=B6EC6286BA81D6FAA17BBC90FDB6E1BDF5BEB18F213E57896D98529A1691E4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:38.517{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D319D3A972513AB6F782D42B89B4E83A,SHA256=7ACC9ABEF7B9379EEDDA0BDED307DBE01DD2631E98681F4416E4A09324969C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:38.027{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A703F30A14A0C8462E06C7BF0262DA6,SHA256=E637BBBE3AB38EDEC4ED59F629F008A934EA11B5C50C17C07F21A4AE370FFC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:39.552{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF679B10C2191374D315F51575369AF,SHA256=5B3F97030868D0A797DAF549458E6ADA9344C62B8A68A6B23BFB1484B5475393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:39.120{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA46BA3E24C9ABC5AF27BA847B173F5,SHA256=D9E21AB70C8844F30F650B61F346D61085A9B2A90091224E13EBE786CDE8607D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:40.682{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF1EA0BDAE0BFD04DD5026DED157F8A,SHA256=A49395B3D9F8E8892C98338C36B9536F340EE4045BC28E1B9AFBE33E8E37F48F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:39.223{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50965-false10.0.1.12-8000- 23542300x800000000000000052431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:40.214{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43931DF23951ACB0CE2896705431610,SHA256=26F94B546D44C73B85208148BFEABE975C68A2AFED82D49079100BD6D5646674,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:39.261{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64883-false10.0.1.12-8000- 23542300x8000000000000000275839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:41.734{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2095BE17C5CC74591FEA3E7CC9ED3CA,SHA256=F4AC93379EB9506839CD7CA20A2F4FE4D5C3EEE9A4F28045C6321CF5318CF209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:41.308{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DF6FB3F81248135C754A96DDD04AE5,SHA256=239335D11555705DF5D4FEDFB91FDB389358C0BC04E695A20DF2C3074011EB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:42.849{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC2B9DBB9E49FDD90A398CC1C094144,SHA256=D33D0B4FB177E00C9E61F872D6FEFDDA9073CD3FA55B6C5C8CA6D50F258BE32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:42.401{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4088A8CFAB020CFC82E560FBCC56D681,SHA256=42E79FB446DD8CBA8F3332A9C500C80A4919E9402C50EB9C267FC23416CAD9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:43.894{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9837B417B878F2BD478CF8D4E9A6AB1C,SHA256=C8765089780725761C3A3E860ECA530358ACFE71A7022BF9D622564A66C5EE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:43.495{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F6B26D8F0EDF55DB094E27B0DF142C,SHA256=356B7303EE273A7F64F19930C986C180EC45F22CBD8037B068F15B5CD4C5D2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:44.589{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C2A4721592C4790F7CF2BD2F8D9221,SHA256=7326E1D4F3E85AF24C408EC11D447728CE6F3EA886DA34C21772D72C74320B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:45.886{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:45.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0E5A9A1654B9C979C21EF06CDA9077,SHA256=CC3375B8FC6CD44C27949A30CF25A0C40632F7582BD83F7FC86441A87BA8601A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:45.031{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454E3983AC385F4149B2A3D9D0512C0A,SHA256=BB0B5A1DF4519E320BA77FDDDC6B20A19BC61AFB59241E9A2B56077880BE7944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:46.776{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7507003163FD92179F669F6173C1AFE1,SHA256=9979B5179341C82EFFF4CC2228D27562A965ACBEF0C3A139E14BD0B793776490,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:45.192{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50966-false10.0.1.12-8000- 23542300x8000000000000000275844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:46.061{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C11EFBAAAD8076F17A063B42F35185C,SHA256=7AAB86E6573CC1C3CBC13D653C64F87AB1365CD9112760C1C084F5B540C832C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:47.761{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9FB4F24A688A10EBD67D457BE6EC4C5,SHA256=8E889647B6492CBF2AE85D705F3655BB838FBACAB00659FDC90775384AF9C6C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:45.958{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50967-false10.0.1.12-8089- 23542300x8000000000000000275845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:47.192{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074C89275D436A3EE8AB900CB55454F3,SHA256=BB6E13463749F4616E39B712064643AF0480EAEDF0A7DD777C8887FF87CDFE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:47.667{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1E20067B671D8D48083CD76AAEA89702,SHA256=49F1FE37E10C0CBE3041D6F52AE76CE0F25C2666764D20017E945D5F73B0744F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:48.855{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0013D8B914CE3AEC62F722C5BD532E2,SHA256=303F1793CED97EF182E6F4F7C464EEBD13807F9F8206B028E88F92825F7C0F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:48.880{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:48.230{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052257ACD2C17BC0E98019CEB3421A38,SHA256=CB7F78B3CDEFE7AB72CDC78479B678C4848941F736849DEE4D9045CB60F89B1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:45.255{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64884-false10.0.1.12-8000- 23542300x800000000000000052445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:49.948{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE7A406C6257E6B1BDD416DF4A48C62,SHA256=593A80F62532B7506EBC6FA5834DE63BF390F7A28274CF5BADB36E05B289B8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:49.349{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52507C880F70AB70451E837F1490EF85,SHA256=371F97E8C8654B957D9D6826EE463384E80696EFD520DABC3433BB7E5C57C8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:50.479{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622312C6FF5FF1C05DEE6EFA9800B4E8,SHA256=CF488C7EA931508A4CF171D0214C638ECB26FA3B7DADDEB0787A96B064697B62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:50.316{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:50.316{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:50.316{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:51.632{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C42A574235879A3620DEB8ECD0543F7,SHA256=D1E52EB87CD9B90CF47373332AB40BD4CDA6F8053F7183A5BA7AFD361D7C8FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:50.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50968-false10.0.1.12-8000- 23542300x800000000000000052446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:51.042{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E669A749B754F841F179B23EDD3B4C77,SHA256=00266F09E1F4EF546B17F89B6D67BC24F3305C7B1B81C01269ADE76472D48E86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:47.890{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64885-false10.0.1.12-8089- 23542300x8000000000000000275856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:52.677{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C3458A8587998CBC2367A9876C42A4,SHA256=F4E1EA5F1A12D7BB0F034592E4E0E1C6D012D5FA220DFAE7EBD9259854B735A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:52.136{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B37A1850DEA55D3F075FFCE95FAFF8F,SHA256=DA72082D976EE71128A24110DD6B7A25CB2107D144FADDCA90F0036B35AFC901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:53.729{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E9E8919BF82C86CE76469986CADDAF,SHA256=F3C788E5B9400155D4B996D9BB6C27F61429972107FE7231C159D5966D202EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:53.230{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8556FA3C51C2ED8108ED2B97AE6AD5DD,SHA256=678178CE130F1C1F022CF1AFD148A4C5EE376FCBFD5F2082EFBE2E16249748C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:54.875{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE5CA789376193F2A096A716793145F,SHA256=3646EDC3B1FEE074C0FED7B075922F80DAC7E816E5EA97249A961EC57C1AFC62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:54.323{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F077795A5E156483AC57F45DC694A7A,SHA256=3A0A662CCB78F3823529C631FBD0E791B86688B93A2E5CD1753ACB8077348EEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:51.140{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64886-false10.0.1.12-8000- 23542300x8000000000000000275860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:55.891{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3D6E438F2D49BC7F34AF49B3376678,SHA256=9305DCCE80AA186758EE66AAE1D6D1DAE86AEBDDB35B98E3530786438119DCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:55.417{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684A75034ECD683DB3FDFE23681E9876,SHA256=599B99EE641B4F6B20845C9D7E62CFAC6DAB96CBEC0BA780E7FED6091B357DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:56.943{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2667D4E82EF19E71472E254A1F33CF,SHA256=81233C6449386FE5FEB16CD4AB304C395176057D27E693FB6FC679337F6177BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:56.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4251513D11DFB1B8B22AA40801CBCB63,SHA256=B4691A3706F9AD5110E1AD543C824332D909F8CA1347F0352E3B2DF46FF77345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:56.390{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=F73717E1A67BAD966C2DA2F4BE420F72,SHA256=B1FD3A7C55490BD2C33EA2D1631AAA186011AD0080BEE9AF840484CFB649B26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:57.973{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1008D7B9AD10F526D7C74C2F2409A0B3,SHA256=A57D91AB9120DFFD98E37D0C7E149B171B2466DBC97136627069C06FE88F6C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:57.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDA9D83AB19F5090AE450CFCA686E03,SHA256=101BB81A388AB0645398922F73374615AC850BA01C975A2EC2D1326B3AB27DB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:55.301{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50969-false10.0.1.12-8000- 23542300x800000000000000052455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:58.714{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5817E0A4E7365424B8751C2DF0EC4C46,SHA256=6685BF4E91DECC87A6AD15172D2BF7634A51FCB50B287BC4FBB51896CF4F21E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:56:59.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F55E9472CA0F2B22057474A3C344E41,SHA256=0E67E25E31934C41EAEBE3BE3E18338F22DADE65B1E490A41B0246E40CFC4601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:59.088{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=AFFEDC34388E9A746968DB67CFCB6B18,SHA256=C4FA4F4068A589B7A3A7BA12ED50C7717E774BE567FCFE642D255C7D2469CA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:59.025{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3D65D56285F4EBB5282FF3C2D26D77,SHA256=D9B88C7132895871F890F11DEC104379AF303326B62187EDC4BED816E357AFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:00.901{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D4E9A8ED0A889192A00DB683E6E944,SHA256=81131D29216C24B896E0B766E56C12012A08D6BEEE26B6E9A9F35F15B0673E1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:56:57.114{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64887-false10.0.1.12-8000- 23542300x8000000000000000275866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:00.071{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56A29A2EE79160F5D9520CA45F168A3,SHA256=2E2D4E51AE6863EB60B00A9EA3C0F4E1668FD78857FDD925E7B58FB425C0702C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:01.995{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCE07F4A882E523F768918EEB97DF54,SHA256=062A26603D807084DEFAC1B17FE53D233F709EE46872E67A28DA34E4899DC2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:01.438{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B3207AC085DD7F7E96880BB65A8961B4,SHA256=BDD2825243F6F32C57E61D9D25861E45404962DE8A48A36F7EB4E28A3C6D5ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:01.123{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51518F4C68AAB4D3CFDFA4E0D0614637,SHA256=FEBA6C8081BBCCFD0D9D4BD2A0A0E5E59327C82B06DAC8F651EAE667013F9275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:02.168{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D801B8209E08601B299F2F3AE3E501D5,SHA256=8BB54F6467AFC84C5C9B68A7A1D772FEA7C9CA3F16B568C2152BC6528425EDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:03.725{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6772174C56E4AF6E066B88D5464E286,SHA256=A844133DAE3C8479DCF2FE08E30D045F2D083339A0BBFC080F53DCA01E3C476F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:03.325{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F419D5C149826FBBF1871D9CC14711D7,SHA256=2DD8C6BBE6127527C6271C1404C54CE50017C827999231195042351B4B2B5B61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:01.176{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50970-false10.0.1.12-8000- 23542300x800000000000000052459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:03.089{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4783CA32C21F0BF56202D86EE80484,SHA256=906FDC43150FD605299F0CD548C58BC5A95D919826C04BBDFA68CE4C7DE66E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:04.471{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BECB6403540C4CD9E755BE193FEF69B,SHA256=6FA2F0540866A8A43547EE1D73FD7F877BD11D6D35E3EC67C3E406358DE3B2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:04.183{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C86DF7951F4A3ACFADF09FB6CA4AD8A,SHA256=97D3F585B875DA23FD26F14673F9E70B6CB5148F910B93219EB0FEF7AB190073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:05.487{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383723FEE22F5207C9A075C6162F4924,SHA256=83C905E9F31DF03EBE0A008D0909FA7469D3D0CDD388AC9818397129A608D647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:05.276{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45735BB8722BDBF4DEE286B0B4D30EB8,SHA256=0F711E0F3164AD58FC34FF5D37F1541B56E7A9FCC55BB8C8905CDFA9206D95FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:02.250{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64889-false10.0.1.12-8000- 354300x8000000000000000275875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:01.666{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64888-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000275874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:01.666{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64888-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000275878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:06.539{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B4FA076E5101D3024D201D9CBBEB0C,SHA256=4F4E13CA411E16C1B4F3E9FD8EE014511F86D329BFD1735F2AF1C0065D72F6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:06.401{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E490ECFBA59AC20EB928CC3553C472,SHA256=E0246C684BBF98FED3CAA908DD3904A01ECEE8755900142F04897CDF775A6852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:07.585{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E484479C067FF1445A409EBF778873FC,SHA256=8D2F951DF91848D108E447F3961F6496E3F4DC6529BBE491A5A67744ABAC7D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:07.495{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26580FF204DCF529E788EB671A8B088,SHA256=B33C1F3C97F2DC9D12F149BFFEDF93334A1B1E9EA09D3DF7EDA62DB57C224BF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:06.176{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50971-false10.0.1.12-8000- 23542300x800000000000000052466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:08.589{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95AAAACCEF52737ADBB772ED5EBF1C1,SHA256=A0D323FC9E937E2D9C7FCFD21546CFCAA7B737B748F6A53C42135617BC7D4DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:08.622{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA4AB1B583CB3CA18D61A28938F0CFD,SHA256=AEC11DAC27BFCB4C00413819D207E67AC503B842DE0FFD788587A7B900DE3DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:09.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068B5013CE759AF0C74434019B25F214,SHA256=EE57A3B74B02D29513333F4FA38DCB7A1F86BD3CE2C4D0F88FB22148C99AFFEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:09.668{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1937BB569AEB1AD40593E3E1F1BF8ED3,SHA256=C5D7301C7AE5F7C8D3A842136FC9546BBA3E60F547D29B0FF2170F7524422B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:09.137{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=119FC076CCFFEEA481789819D2B27C02,SHA256=E82AE026CF4E8FC55B7E4976BB56005D1542BCA9B3937E3C5256D8C26F271847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:10.776{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CBB047A94C4B6E75E15823A20516F3,SHA256=5EFAAEC64FD2BCB51B6329FC300510DFA5EEDF9197EE206310EC61D0DF21DD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:10.700{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2021698791F1CA5CFA492C04FC4E630,SHA256=F54324E6AE1932C446F1F1B01A4768FD03A4C63DDAFD60AEB5A65E9128D3FAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:11.870{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1257C1F4BA081C17662DA6DCFBAEEB37,SHA256=648E19C9BD6844E0E866D5B341450D454E3EDEF738A615D8CB80DE1D854AC259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:11.836{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5500D8D113750BDC27485F46D985D3,SHA256=9F063EB2F0A729E0720C9A0DFACB7B41E08EECA01C8BA9ED6BFFAC8F299ACA2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:11.768{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\permissions.sqlite-journalMD5=204E10FCE3B352F13E2C4863E929149D,SHA256=1A4454499AA9858E8E9ABC9933477594A30D2C1829839F9DA467E6F796FEF56F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:08.209{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64890-false10.0.1.12-8000- 23542300x8000000000000000275887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:12.867{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7738BD6B77C85719E3B43D86A5CF9A,SHA256=F328B2EA0F068F57990547839FEAE2348291E2823F9E1C6796A73A66D76CF8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.964{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2EFB8AECC208606DA35B0B32FFCB75,SHA256=97473872B63734A613868C4E597DD8FEB027CC983B50A325C66EF5A141DF411F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2B8-62DF-6B03-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F2B8-62DF-6B03-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2B8-62DF-6B03-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.933{53069400-F2B8-62DF-6B03-000000007002}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000052484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:11.207{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50972-false10.0.1.12-8000- 10341000x800000000000000052483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.448{53069400-F2B8-62DF-6A03-000000007002}11202340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2B8-62DF-6A03-000000007002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F2B8-62DF-6A03-000000007002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.261{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2B8-62DF-6A03-000000007002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:12.262{53069400-F2B8-62DF-6A03-000000007002}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:13.919{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC0232D6A7E89E8406A275CFC5719A6,SHA256=0D0A40961AEA4B21A634209B425CBBF3BEBC3B0B7E8007CEDB621244CBA0747C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2B9-62DF-6C03-000000007002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F2B9-62DF-6C03-000000007002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2B9-62DF-6C03-000000007002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.605{53069400-F2B9-62DF-6C03-000000007002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:13.308{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C064CDCFBD4BDAABBB1C20BF7A2D6F50,SHA256=7096EB0548647E2FAA6989C6343CFA09C5813F0ED60528316A6921B6295F03A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:14.965{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC7D688528B9C0F0DB31756C2A812F3,SHA256=0A297CAD67941ADBF005A59A31E3C5E64E789D403BC77B26B914E01AA4DE9F43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.982{53069400-F2BA-62DF-6E03-000000007002}38683484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2BA-62DF-6E03-000000007002}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F2BA-62DF-6E03-000000007002}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.779{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2BA-62DF-6E03-000000007002}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.780{53069400-F2BA-62DF-6E03-000000007002}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.514{53069400-F2BA-62DF-6D03-000000007002}20283728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2BA-62DF-6D03-000000007002}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F2BA-62DF-6D03-000000007002}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2BA-62DF-6D03-000000007002}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.277{53069400-F2BA-62DF-6D03-000000007002}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:14.042{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C0E9B90AB9229E5A3D39416ED4A1B4,SHA256=4A67372F5A4368A42D7AD5FB7C9BEB01794ABF50ECF0FE7455D62E7B7EBE2DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:15.997{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C31BCC8C9622BF09606FAB5A46570F,SHA256=6AC4DB39FD94C04B35D63671ADBB7E325321F4EE6A3ECE98CF5921BB143B5B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2BB-62DF-7003-000000007002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F2BB-62DF-7003-000000007002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.784{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2BB-62DF-7003-000000007002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.785{53069400-F2BB-62DF-7003-000000007002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.534{53069400-F2BB-62DF-6F03-000000007002}6643384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2BB-62DF-6F03-000000007002}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F2BB-62DF-6F03-000000007002}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2BB-62DF-6F03-000000007002}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.286{53069400-F2BB-62DF-6F03-000000007002}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.284{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185498EDF4D4B6A4381A4D0FDFDD987E,SHA256=93129FB5BC682E0D74A4609D00378F7BFC4855AAFB8F891E00B0E62A87BD075D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:15.000{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-104MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:16.847{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F958A767BEC97BC89E5205F067EFDCFA,SHA256=0422F4370482FCF24F4A01AC5BB75A0012108FBDF111DCC879D9E258299FAC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:16.550{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBDA09E05B49150A6D252FBAB7F0DD0,SHA256=0593DECD5BAFDE5C4C4366ED6B5EA0746E8C7D6D69E9ABFF6DB4E6BA42866712,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:14.209{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64891-false10.0.1.12-8000- 23542300x800000000000000052571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:16.005{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:17.847{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2312FB0711BC60E93E47F2BF71C9F402,SHA256=9419BA9C9CEC5765DBEFD43C2F0E6FBA1FA0CFFC0E323936C89A1670AAA2029E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:16.214{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50973-false10.0.1.12-8000- 23542300x8000000000000000275892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:17.031{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAF7DA2E7C6122610B8E9661FCE2DEF,SHA256=A3711FA67584F19EDC75A9141F11B75506EF9E9F2150EE5045EAF97AA63849D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:18.941{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB453FA8BE87D881BD04C3F74A496404,SHA256=42692BD0AE38B66E6129AB9CCBCA57954255C463AF2D7479089CA150333B7ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:18.061{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21BA31AE10433F47EA251AC5B716F25,SHA256=6B01A597FC4A3EB0483D6772F7EEE4DD6A57746A1873583868A48DE27FB354EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:19.093{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31876B596F3050B7F211B9B3EA7969B,SHA256=A0F7939F99FD99FEC25C07AA0A1A1FE3C08C6AC49E702837E874F9E402652AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:20.034{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C85A59B41D91778DBBF94BF0FB2468,SHA256=3FB920F56DF862F3136216637CF4DC87BBA02204B20B869902625AC819B90412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:20.227{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993FB4C30DFCEFD3B868A3C3C0CB3C0D,SHA256=16192C55F4F54730FF08673F06DBA34CF9A8B45BA505BEA05D4182605A2CC99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:21.258{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC859170D554EF7655CA1F7F73833F2,SHA256=334DE0391F5EAB23EB2E7696C1CB2DEC7ABAADC4B7FC372922C00D44DAEF3A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:21.128{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFDE650F6D4CD788ACB4F03F9CF7B62,SHA256=C0C279992E733D2A25226C3AAAC8BFCF5F512D4D1D3BED20BCA3F6124B397581,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:20.184{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64892-false10.0.1.12-8000- 23542300x8000000000000000275897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:22.373{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D550BB961FB54BF61DC912A007C9C7DE,SHA256=8B8255CFD0259F10C51420745BFF0F9EA1F0B0BE6EDDAA1C143EA423DD601567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:22.222{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68BA732A57B4297D5A1F41F85C7EDCF,SHA256=09F92AFE1531FCF3F13F59DFFBD8DC7AC107DAECDF1B573A4C52400B0E760A84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:22.215{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50974-false10.0.1.12-8000- 23542300x800000000000000052580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:23.316{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5D9BE39B61D1B7F119E9462E8F4B91,SHA256=B0665E42A0525BF4F34F4F44B62EBB8D4D919D549277628746D02E45D1F26B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:23.425{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A200CDB6986816819178205465B76F2E,SHA256=71F20A49B16B3FE4B0452346577122BAC1507C53E3B2785AEE43C09EEA5387C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:24.409{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A9CCA3B7DA30D18E7A862D5933F9B8,SHA256=39FD45131390AAC569A698FFA86BA369B5B8BE86F903DAB828053F2551748988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:24.471{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79E6D27C3416481EAF9437A13BF1683,SHA256=01354A97E8928D37AA68A6359B6D0F2FB439EA5EC5DCB3C7F7FDD5E53AA63BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:25.503{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F419845A98DDAF621E396FABE894FA9C,SHA256=E010EE4E14E00E5B90D6DC2B1F349F6832D027C9F9906106399C89A1DC3A28D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:25.607{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE2F7496BD478034DE059B1A86CA697,SHA256=7491EB0E3D82768071F8273D9DBBB34F441DAD16ABD4F70C5AD30BDF6A2DC8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:26.597{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354AB994F7FDD36C630FA7832C1B0FCA,SHA256=820DA4C8CB3370748CFBB041656A93D87B3896B68F49BA7A01E127772CF684EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:26.653{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6553FD06B77305FC31F3A4DC344D31E9,SHA256=0F71ED1C174384974AFCE5731A8E1E5374FC7139EEA4C040813F6387D30729BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:27.691{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEC49CA035E43F3E2C32120FCD5974C,SHA256=E5E3D1F8027416C98D738723DD1BA82B0F7208700CA52527C68C3D2223B9DF53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:25.247{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64893-false10.0.1.12-8000- 23542300x8000000000000000275903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:27.685{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDF26C0C8D6D16888C59CC56152F637,SHA256=EF728BFB65022992BBA3746DB7ED855FEEE2533FA1D1F6E13DEDEF1080C949AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:28.784{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A2B178BAFF348444485F0568A3A339,SHA256=533FCBD9945EF0306A3C2CC102459D129AB7DD2015DD1B84B10041E946CE860C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:28.706{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BDB3E7EE8290951C1C155BBE2B2FA0,SHA256=FD21AB74BA03173F211964C3D11662BA606F26ADDA132EE4634C2C486FC9DFA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:28.200{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50975-false10.0.1.12-8000- 23542300x800000000000000052587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:29.878{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832E531ADF44ACB86911A9331C614C4A,SHA256=991C192BBC0CEA584900A80EF0A60041E092B6AC5135C06FA99AD0076347266D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:29.734{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F2B3482BB7D384FA2694C6A248D33A,SHA256=46F6D237D2AFFD750D33E9AFF2AF52ED85A89CDA23A7E6D24D6A72AF0210FF4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:29.205{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-104MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:30.972{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D708C7CDF6B565195122BFCFDA7926C9,SHA256=E902A8DE40BE98874D2AEAAB1EE2AD0BC4D9E41E524E4F0B7C96521456310991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:30.849{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDECD6230FD7C16C56D18E8576644F55,SHA256=679E4702BB23E3A0356C8C4FB8216ED294DCE26ED8DD7A89C24267B3B5DBE1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:30.219{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:31.981{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438C032A91F1FD088788B62518259AC5,SHA256=A876589A640093C5ECBA4021076E4566B44AF434C813F571E61F56E44B7C42B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:31.685{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=627DB6E9780BA64BB3898BBDE792C6A4,SHA256=9BA19B52CCFBC47AD6D2F461BB46A29E32975ECB1005B10BA7725480A481997D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:32.066{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF302DE1300720C29BC813FF6B7AAFBB,SHA256=9D7AA761984638CD309F3969638DDA15F9DAD14ECC4C35E0941240C8BF96A751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.931{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F2CC-62DF-5004-000000006F02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.931{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.931{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.931{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.931{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.931{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F2CC-62DF-5004-000000006F02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.931{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F2CC-62DF-5004-000000006F02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.932{F81F30E6-F2CC-62DF-5004-000000006F02}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.463{F81F30E6-F2CC-62DF-4F04-000000006F02}48762816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.447{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.447{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.247{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F2CC-62DF-4F04-000000006F02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.247{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F2CC-62DF-4F04-000000006F02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.247{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F2CC-62DF-4F04-000000006F02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:32.248{F81F30E6-F2CC-62DF-4F04-000000006F02}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:33.159{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65565F2054E7C5D9C250EB711F677A9D,SHA256=936F0079536A9B02BDBDAE3FC1B3A85684E7321A8C71B39D9AAD4D023D5B4928,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:31.011{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64894-false10.0.1.12-8000- 10341000x8000000000000000275941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.440{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F2CD-62DF-5104-000000006F02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.440{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.440{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.440{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.440{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.440{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F2CD-62DF-5104-000000006F02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.440{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F2CD-62DF-5104-000000006F02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.441{F81F30E6-F2CD-62DF-5104-000000006F02}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.271{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12F969FFD8F45FED06E81D7C3280A9D2,SHA256=1FF3FE3E2323D96EE696388DACB743927847273902FCC0F4B2A3440DBB03EF93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.206{F81F30E6-F2CC-62DF-5004-000000006F02}77642308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000275931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:33.015{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DB04F0422596496CAE10F5B3F02164,SHA256=92E1680DD23566A3D11C2CC9D6970F93D7A1AAD72A8E22F5392BD8779A64F7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:34.253{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4255BF016A6602FFB1B5A89347BB2875,SHA256=76A02BB8466DD1BD0188518DC720C86B64120CA8284712E589946F2A4C2DA390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.923{F81F30E6-F2CE-62DF-5304-000000006F02}8104612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F2CE-62DF-5304-000000006F02}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F2CE-62DF-5304-000000006F02}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F2CE-62DF-5304-000000006F02}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.756{F81F30E6-F2CE-62DF-5304-000000006F02}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.755{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D4BF5B031A6594FFCCCF3D69F67B1D6B,SHA256=CEA65ED8A4C794E1BD93BFFCAC1350692E500E7BC368EC4574C9B6ACBD27BAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.123{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F2CE-62DF-5204-000000006F02}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.121{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.121{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.120{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.120{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F2CE-62DF-5204-000000006F02}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.120{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.119{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F2CE-62DF-5204-000000006F02}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.118{F81F30E6-F2CE-62DF-5204-000000006F02}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:34.039{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894A87AFEC32CFC55CBB9581FD8D2EE,SHA256=5270CFAF194E307CC0C4302CAE0C7B7D3FCB844D5EBF11C138BA65E94A52D0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:34.004{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C2EA49782AB8613FC5BDA4496BEB813B,SHA256=35AC57A723CDC3B8027F8C7AA3598D52E576655A11C1194531D2E022A3EF3D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:35.347{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD581AF127CF4418FD83614CDF072625,SHA256=1956C89C63BD7D964FB2D1C6D7CCBE70B7C51B37729E4B0A8DFEDC41E98C4F7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000275979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.954{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F2CF-62DF-5504-000000006F02}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.954{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.954{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.954{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.954{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.954{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F2CF-62DF-5504-000000006F02}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.954{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F2CF-62DF-5504-000000006F02}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.955{F81F30E6-F2CF-62DF-5504-000000006F02}7352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000275971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.524{F81F30E6-F2CF-62DF-5404-000000006F02}74967488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.354{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F2CF-62DF-5404-000000006F02}7496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.354{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000275965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.354{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F2CF-62DF-5404-000000006F02}7496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000275964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.354{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F2CF-62DF-5404-000000006F02}7496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000275963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.356{F81F30E6-F2CF-62DF-5404-000000006F02}7496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000275962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:35.086{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F3B87993D31664140F245B306BFC432,SHA256=25DB96AC8FC9E6A51987AEA598CB4937C1E379C9B0F4E996F3359BFE818CAD61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:33.309{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50976-false10.0.1.12-8000- 23542300x800000000000000052596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:36.441{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B68A2109398859FFD9B4B87E810DBD,SHA256=E6434DA39E42BC355A2616F26F63EAF64039178BEF5331B3A8109AF87C743EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:36.102{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8224C38C87366603B596F845DE95592D,SHA256=0AD8B98D9B3B93A5C044DE5E6AF6CDD5475A955DAEC1F54BF3ECE650F048E5EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:37.534{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA94332B3A289EBF1B916833EFDCA04,SHA256=81FDFE46C05F4644D709E664BE30697446FF8AB9C76A811DA8452FE9E13B9655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:37.254{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DE5ABC91CFB44C069E518C5CD6D5CA,SHA256=868E492A03397E8223F10C94A072D7A4D83C92AE669AA8124ED301FFD2BC0526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:38.628{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED543AACAA345ECCE19CAA696D4F4D34,SHA256=55E6B049593611E3878F44ED93DEDED001FE2E6A782C242E4EB9F280913315D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:38.300{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFB044BDC773F05365C6CDA037071FF,SHA256=29AC4EC5150319F4F3730C93EC4E59FDC526FFCBB0AD7CC9E7243372C98F7EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:39.722{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A027B5E06E5C58AB12A299C26950C8,SHA256=46B4CD804A1CA0670A9E91BE5B5ADAAA3D0DF369FD67BDD1677109A48485BABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:36.212{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64895-false10.0.1.12-8000- 23542300x8000000000000000275983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:39.351{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03FE4B1E35CE2B809D0DBB4B974C442,SHA256=63940985CE759F68AAE0BCBB8C490067E668DE7C779B98FF5872C99C69777D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:40.816{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EF4B49D45EDA7763477C60DC15BD4A,SHA256=57B07D7CAC34FEE5D1E4E284097B509D68BAD73D684BFF73EAD2157ED67858DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:40.397{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106BE35878C61CEAA8E56D7A4706491D,SHA256=4EFE58AF557387B8C832044E1E069209CF4FF9212E5E00695BF07BE45A6241A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:41.909{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964C7C5DF360709043D872754462CC63,SHA256=A7750990E7D655727DEFFEE4509834C22993FBC4A8F8544B2ED4B35E8D481590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:41.534{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430300AE8B92319BEF24543E97CAB122,SHA256=04EB31E3D27FA8CCDD771B1A7148980768319504C44B2D6DD9C80916BDB1EC88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:39.293{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50977-false10.0.1.12-8000- 23542300x8000000000000000275987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:42.580{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C14C0D8B2DCFDA68B42A6B83AFA4B2,SHA256=0B68A3E13B78DAC31EF339DC2EB011F8EDCAD7BF24CB25A6EFDCC1397E7009C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:43.631{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E02E657C9475EC9CE704C0B2597FF6,SHA256=43485A53809D8A79A0B3C7085DDD6F907E54D7F1B2C4117692B6874F2C287986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:43.003{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF2E428D1F0CDA8A84705FB683A3D73,SHA256=AB7266AF3E22F072170D8356F167BC4144D789A159D610D096C7D4C99E766CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:44.777{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21966B1631CDE27680B9C7AC8CEAB8D7,SHA256=981CB7688E818DBBB5FE76EB8E6B50BC7BBCD944EA0EB998BE1367C7A007CA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:44.097{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA1ED1324AAD0C98F50E233E11FA4B9,SHA256=6CB9967E045108008CCE8BA001E0F7A6D809D5EEA13629D778197D5151ADEE7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:45.910{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835C3C61376586296EF6F53AAF66D26D,SHA256=546DCCDDAC3EA1200FF31985138A32F949D6C2269AE220FF9FD127F74A4B819D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:45.909{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:45.191{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7386E7C5C811D31857E24423EBD638E7,SHA256=EE020214387D9C6C77CD76E63C29A8DF472493505A731B6350F175F60637BFA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:42.173{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64896-false10.0.1.12-8000- 23542300x8000000000000000275992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:46.959{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7DFBC93F4EB94E407E984CD657B4BBA,SHA256=58817B4DCF30F1D2B8E0BD59D4C8B9DAE9EE11B361842CD9AC8DA60094E5A444,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:45.216{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50978-false10.0.1.12-8000- 23542300x800000000000000052607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:46.284{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF229B69E136CF726AD8833E93634D8,SHA256=76AC49DE3942BCBA6583C91B8D07F3E11088751FCBA3A7960E3CAC0B865985F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:45.966{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50979-false10.0.1.12-8089- 23542300x800000000000000052610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:47.378{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CFAE0C65A7E0060C407C36732B1554A,SHA256=A865000838D4E81F3CDE2DBBC4FAA15FB7EB5BC5056EDFF20C02C1447F1B24FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:47.066{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=90C9F309668B554D32EF8A21C791DEA2,SHA256=7E92BE1C580F0A93D812101FDD2DDD2FD822183A675206E4784E0524534D4B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:48.472{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307040B23C1B1E97A108EF0FB56288BD,SHA256=76723269354281DCA850C719C0A19AFC54297A156965154ACE775A6064A425E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:48.909{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:48.107{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA7A264EC2231BF86995E280BD0C683,SHA256=1DBB092877A3C59A77DD7C1887770528304B62B2AE021E02409CD8B9CAC28EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:49.566{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69D4EADB4CF47939F9DBFAD12D4BCBD,SHA256=E51ACE414EB3C6870B77922EA9B34B4997F8ECB56733CACBDE0A06B55D6EB26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:49.226{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E42F9BC5F6D590C3AD09E901085907,SHA256=2748F76B2C9D676C6F4AE8096A105CA322E0D618C58CE35F11B5AC016EDA00DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:50.659{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17FF85509110F76F5F913A07A8369C5,SHA256=B82D13897BE6841E60FE970E3004A6D812A88CEF0D0CC4A5C08D23E5C31711CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000275998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:47.899{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64898-false10.0.1.12-8089- 354300x8000000000000000275997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:47.252{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64897-false10.0.1.12-8000- 23542300x8000000000000000275996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:50.272{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F1BC8526E7D697D9D9A7423C642EE1,SHA256=C6B6990E89A39BF29E412C6A920A954E4DDA039795D61CB77B94B323AA6EF025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:51.753{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC79E7C4357D264926E065E74F0C2AD,SHA256=505CF607C4E169D12A9687D8341D877D8B40B12874B05795DDE683ED327E2A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000275999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:51.305{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046D565C338FEFDCC11A09A4CE93547E,SHA256=33C262FCA5AAD012B2376B883A912B1702A0CED815C063FEAE7F9F835B5C406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:52.847{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2E26E6EF0820FA7A94E61D849DA966,SHA256=9A9285AA4C617A95BE7E6E28BE9B11F0E910D33DF136EBEEE777F494FDF55485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:52.339{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A032605B8766A1E1AD1E53F596687391,SHA256=2350BA0D40CD9E05B7812ED1CB18724B71D660D64AE740796E513B5BA7D52568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:53.941{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2443C53B62F6EAA6333504D59BE092BE,SHA256=BB0644347664708EAE357610A2C33110979707BD579691968F6390737E6DCEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:53.369{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465263A4EC5B3B47540FBDC19B1601E2,SHA256=3B786C03C2247DB35667AADE58B76464F76625D58E51D44B4223F0BC92514BC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:51.200{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50980-false10.0.1.12-8000- 23542300x8000000000000000276002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:54.521{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B327B5CC0E183FC68FAA2C3E0D7C1BDA,SHA256=F057DB6709E6A63264647E358F3E4DE017EE44CD1F2D68C94F255016EC6311CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:55.552{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53D261505BB685EABA4EF35E9C961C4,SHA256=F40E4BADBD757110DAFD8592FEB8D625C084129C0557ACE133D172377808CFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:55.034{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBDA74EBF81858A68EF03C545D9F17B,SHA256=1EF64E1082C871DCDA8C60018B3318B66D4034AB7E5EC91FE6A4EEF14E81DB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:56.719{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6543941EA60502954E2E66E409CF1CEE,SHA256=B9F076E397430D4DB2ED845471D5BD6E194CDF9B6333E38AA9ADF24D00DB31A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:56.128{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4F272B7DDB04EF46216187E9627AD4,SHA256=07A35E06F246B2BE5B0925A44F2F5F96DAB9113E77E72B26675A231FB5F63E0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:56.404{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000276006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:56.404{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:56.404{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF634e5d.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:53.247{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64899-false10.0.1.12-8000- 23542300x8000000000000000276009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:57.765{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60BDD349AB205BEC4443B0CC9FA7D58,SHA256=AD439BC7348C330AE97EA83F96DE36DCF5AFCA7DA48953846587151662BFAB5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:57.222{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850CF82C6635C12EB0483B17B2BA17EB,SHA256=BC643E49A06B90F946023B7388024A55F57A9C02EEE146686CA1B43EF9606AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:58.797{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F1AE49627A4729690468EDC952AD87,SHA256=C4EA74FC10BFFC5D8E4232E46C38744E42FE2296D25E0AD628F910FDA733E293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:58.316{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E7E432AE2189EAF736E1B3F5241AB2,SHA256=A901E1593051155598150BC785D76CD5D80F16C4C49685484F07F0C227A98A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:59.832{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334D08DE9D495C42F0CA8D39ADFFC1FD,SHA256=39A9A6342CBE3B9C52570A4EC207E2BC6E1E569E8A1EBF6F9E6D14838D570718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:59.409{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A405D70F64B2EBA857CEBB03B4E5D0AD,SHA256=3E403AC32A160CE55896FF5BEBAFD55B66A52584CD2E662D5ED744FB345AD1B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:57.168{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50981-false10.0.1.12-8000- 23542300x8000000000000000276013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:00.979{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DF4818E20C3A18AE02BEC0E863165198,SHA256=06788EAA95EE83B6E0F7C3F54E15C5F98DE3CE330E06304B16AA85B289A3C9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:00.848{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8881F5E109898515DE295384C2533B38,SHA256=578609C64A2A7AAE15768BA2B5B20C336B24A546DF8AD30468EF99D99223485F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:57:59.028{53069400-D97D-62DF-1100-000000007002}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:38f0:1ac3:f5ff:fef0win-host-ctus-attack-range-459546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000052625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:00.503{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F435871EA89335DB234F47873983A15F,SHA256=D01EAA59321D5EE3DBD933568307A4F178211AD92749341FDFAA43FCD4046ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:01.896{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88AA9B819675F48CEFBE6248A59B41A,SHA256=8F33CD9418B9479CC7264FE24FE5B2DB5E0DC3CB45A22766F8A8B7CA86AE5FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:01.597{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F693C43F43512E61BF4CBF77561DC59,SHA256=E245A2C140DCB4558367948E7AC85525A81267E430782FEFBD8C601ABE0BC684,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:57:59.026{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64900-false10.0.1.12-8000- 23542300x800000000000000052628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:02.691{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD1154DD2F67414304F9744C0A75885,SHA256=176F41B0FA320A238813083C6ACEADB0D93E6FA92873276D16308EAE493A12D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:03.784{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F66E487154AE364BE5B893D7FDF245,SHA256=3598A9B2C5F1CA8B27523FB2637EBC1DCEC8911C9ECA61AF1701CB74EAF4F454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:03.777{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A0C6A79BA4A3A72964D05AD3ABBAC3D,SHA256=F0F79BEE306A7A55A5DC4C59E4849959DC2408053C6B5279748C2A0E46F1F874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:03.015{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A95B1A732AF76EF35C050B3127D76FC,SHA256=7FCC50CA22B6FBDD05AC37222ABD6C05E7DA34B4C2AEA1A59434AC28A5477B4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:02.200{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50982-false10.0.1.12-8000- 23542300x800000000000000052630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:04.878{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F7B47AB7020146C14C60FFA1222C4,SHA256=4E4E95CE317E7C299264A5E891CAC8A1227CDC471C4BE714AB64D70AEE563422,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:01.673{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64901-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:01.673{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64901-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000276018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:04.061{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0877780B58CD699B8B8F378C7FC267ED,SHA256=31FA1768BD96044CDF31D789FE1CA5A4319BADDD842FFE898840423CD7EE6C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:05.972{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139029B2868686CDD67D205EDF17DFCB,SHA256=A145190A659A5FC2595EC409BC375B790603D1CC13240C99C44623880511D284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:05.095{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DA55BB70B4DD39B725E0D9093D20A6,SHA256=5F769CC7A72D3818588049BE614813388E1A4C21FF042BBCBF8BBE8D8564875C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:04.186{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64902-false10.0.1.12-8000- 23542300x8000000000000000276022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:06.128{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3812D5B573DC8D2E99776E5430E9A3,SHA256=516B341033BF6BCBDA222D4275ED20614AD100D1F5CA9C02238198D9817D0B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:07.066{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1BBAFB05A014F38358DF76BD6CCDE6,SHA256=D0EAF909DF0BF3CDA6918F85F8F996B5FAEBB83FCA1099BCF043BA147F314C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:07.159{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0F10852505A244A357EBD2971C99FC,SHA256=16243F6FB6F4B1EF84A593F76EB786024098672716CA7D92E220EACAC97F9C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:08.159{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E08FCEEA700CF89EE2D5EF2945E7A5,SHA256=D0C74428D84352E0BA698F1639B7CDF6F932B1CFBFF534A2C0B09819E1F06A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:08.274{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E827BBD1278A90F4D75D9FF72D136E,SHA256=7FCB7806A3A07EFA19E97E4A3AD1D230B098DC362166DD3F6C3681FBF3A2AE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:09.326{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150AF217701374F2A3FB5D3C4FFDCCB1,SHA256=5895FEE5EBE99992004CDD23210E4A7E7650CD1F4DCBFD8E3554AF80A5CBFB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:09.253{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF60F5B6534DF3109BE43A496C0252A,SHA256=B9D38C7C13F92BB91A0E66B0942802E2F9F1A63E9BC7AAD87D2B2BA9B9FCCA71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:07.262{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50983-false10.0.1.12-8000- 23542300x8000000000000000276035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.492{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E95F8148C37530ACABE67051520AC77,SHA256=98C80E01CD7875C91BD2267F0ED68899A345E83DADCC7FA274AC3306B1CB3B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:10.347{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B814B3E47B0961A6C5A3A61F3F9205,SHA256=C473D292E300027D962247B9BC524093587399489A5966FA14D41550F4D0617D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:10.241{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000276037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:09.198{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64903-false10.0.1.12-8000- 23542300x8000000000000000276036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:11.524{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91C6E4D6A917951485B19098E0F9BBC,SHA256=4E9DE8A2C65CC02CF0381807F51D548C927E35BBBE5E7CDF7FE493587B306BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:11.441{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E318C7A8A9CFA376400562C49BCA8FA,SHA256=362B2A54D3133AD8ECFF509C980D9CE5CD7A6B96446183727DF00F83CF462B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:12.670{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6357EC86D7D50570C1268579684A82,SHA256=F51F6BEF9C08585EAB697F6E92D33D110156E698C69E64DE1291190954004616,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2F4-62DF-7203-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F2F4-62DF-7203-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.784{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2F4-62DF-7203-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.785{53069400-F2F4-62DF-7203-000000007002}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.534{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931FD4F71F37F559679365D7DE4CE580,SHA256=40C6F3C28CD58D0874F9DDFC32222D8F343E77EFD79DC1FF7ABE39979C8303B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.503{53069400-F2F4-62DF-7103-000000007002}14161072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2F4-62DF-7103-000000007002}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F2F4-62DF-7103-000000007002}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.284{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2F4-62DF-7103-000000007002}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:12.285{53069400-F2F4-62DF-7103-000000007002}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:13.822{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DAD1F9EB4D135E0CE24E738247D361,SHA256=3BBB8745F69A39F6F83421AC10E54903DA7B8546C828539EB1597AFEBF50B890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.941{53069400-F2F5-62DF-7403-000000007002}1412748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2F5-62DF-7403-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F2F5-62DF-7403-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2F5-62DF-7403-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.787{53069400-F2F5-62DF-7403-000000007002}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.784{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219A44A12B05DFB7B50845E880CE882B,SHA256=DB77FAA8941B9D5EAE8E19ACA9A797EC04341E4BBE6588996E53BFDAF8DFD13C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:13.469{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.394{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A5A0CFF9A5B4D29886BBBC7D9D4A66D,SHA256=23359B3C58EFF008F6FF08A2BF4215726C777E7F01C754EFC46737DE48B7F019,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2F5-62DF-7303-000000007002}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F2F5-62DF-7303-000000007002}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.284{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2F5-62DF-7303-000000007002}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.285{53069400-F2F5-62DF-7303-000000007002}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.019{53069400-F2F4-62DF-7203-000000007002}16323432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:14.852{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027ABCCB7DBA7D3EDADA55D08510F6C5,SHA256=787D6F9D6949D2372CCA30E954E4D443EC94B6E40191ED8512A767D8E184D181,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2F6-62DF-7603-000000007002}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F2F6-62DF-7603-000000007002}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2F6-62DF-7603-000000007002}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.927{53069400-F2F6-62DF-7603-000000007002}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.925{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3EFA287583D2B43190ECE00CAC74C5,SHA256=1E7EF710D349FAEAF55A7E2056C96091410D7D36A25F36B7F7ACFF199383E9AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2F6-62DF-7503-000000007002}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F2F6-62DF-7503-000000007002}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.394{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2F6-62DF-7503-000000007002}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:14.395{53069400-F2F6-62DF-7503-000000007002}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:15.985{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C943A5B0F555A3B92EF4D91C213C61,SHA256=923C8B3C48AB768E62DFAE59DB7021A8212711D861C43885378255810DB68092,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F2F7-62DF-7703-000000007002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F2F7-62DF-7703-000000007002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.597{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F2F7-62DF-7703-000000007002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.598{53069400-F2F7-62DF-7703-000000007002}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000052725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:13.168{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50984-false10.0.1.12-8000- 10341000x800000000000000052724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:15.112{53069400-F2F6-62DF-7603-000000007002}14201660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000276043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:14.216{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64904-false10.0.1.12-8000- 23542300x800000000000000052740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:16.523{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-105MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:16.083{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E1B91794420F7E1FE4530D5D2CAE89,SHA256=4A31B026CFB64A7196F6817C791ABA773A32FFCCA1A0E5867E71D417AC4CF9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:17.036{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588F94E43DC82A44A11969C88B7A537D,SHA256=AFC14776E938D9A2D7B95865EA00A3A1270C52ACE9350073979CAD638C687BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:17.565{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DDD882252BADFA679E626C28E9FE3703,SHA256=9C09224E8154862D0EB25D58DCFDA99AA1525809B688CAFBEECEE57F364CB382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:17.537{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:17.177{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F3122A68FE4D9373E4CEDFB4C8A8B8,SHA256=F94D00F446F6C12DE65B81FD2C5D76E72BBF477E12B8DF170B424378932F4AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:18.136{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BBF54D8D3E23537A39775D46BAD69C,SHA256=187F91CD41F9A3746A3958ED7FE4D77632283D14F98B4F4F1201052C501FBF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:18.270{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26692C44B8F9DA7159B019B23C860A6B,SHA256=4B391CFA1D9690DF78FC1D0AA1D61482E942E37EC673C5D4085A6CD293D3BDCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:19.364{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226343742FCA34FBE64BB79EC7D742A2,SHA256=8F393DE693F28F64B5EAA367B800A6D7CA2015EC563F9AADAAD30C4D644159FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:19.283{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB6011E49D46AC461901EB5669FF0CA,SHA256=203C3C3D854DAEAC21B1514910D9AC250B196CB1F8950588D765CEE1BC04C975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:20.458{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4B7BAEB7CAA0F573D25D79CAD7C5B0,SHA256=9B86E78E3529C544EB8A84B0ABD2486262BC72E0F70E9F97ADE89F4D5FA8B685,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:19.154{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50985-false10.0.1.12-8000- 23542300x8000000000000000276047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:20.334{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31152CC68392B51300A866C5B26A940A,SHA256=2CCBF4C4CB7C96096893162B315A48D0B53042DAC95107F02831C54F2075CF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:21.552{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E960EB5E8F83525823DD28030C8415A,SHA256=F024A5A168226C14E402BBCFACB3034FE2B0638E75E391F42334783160735704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:21.482{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E794D6C906421A279621C6B8EE8DE3A3,SHA256=150FC832C8A8AA9144572EE9E9D63C678AA641B2A5432BF16F100B799B5CE783,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:21.149{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:21.149{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:22.645{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C299BEF0F21D60E453FCA641330400D8,SHA256=6C1BD3D6FE9E179C442A421FD736733EA5F625973A2CC89E86FB42E527F59C53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:20.090{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64905-false10.0.1.12-8000- 23542300x8000000000000000276051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:22.532{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614DEA789B0BC18C39E8E9B24A2B81DF,SHA256=7BE9CA45FC690148E50458C0107BF19CF12A7D31A8F0BA946B7C45E6C089CB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:23.849{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4215EA178F04F4A2AACF8761955532,SHA256=2CB71A9E5117D8C30FD20053CFC5DAE2F696968D116A6C6246227857749DCEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:23.579{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA2AEFAB3C2C08D9CF8C93B57FD16AF,SHA256=7BA6C8A63A72307908CFC26F580C822742EBE2E5ED883AB3A76FBC0CA5315430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:24.942{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9A0AA547C8C2BFFAB85E8F7E698C11,SHA256=8925B99467D0B22B5475892EDF394C2CAF030DA44D51D9D281CF731A2D69D21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:24.714{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D52E0D3EEFF28D950392F1EAA095E0,SHA256=C78BAE528712B079B755A864F91E32500E014EE70EDC228A181593641F0788E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:25.859{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2742B415BD4E829F14DD18BA8C003B69,SHA256=E72C29FB8D7ED5DADA12A1A5038B558F769096F6F242A90EBD0BD335C542EE56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:24.187{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50986-false10.0.1.12-8000- 10341000x8000000000000000276056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:25.513{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:25.513{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:26.896{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B067F6FE774E7591E7C0D28E3DDD9D53,SHA256=4FC47C5668ABB00B45A1E71F349CD5BCB3257CB467CD03D8772E1B3D29030AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:26.036{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6356F1AA722A7A8A68935CCBD22C3CD,SHA256=57A676975C7D6F49670225E4C1E26ADE3D0F449338DBCB1D2F8DFB11AB4C3B4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:25.185{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64906-false10.0.1.12-8000- 23542300x800000000000000052754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:27.130{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BE0EADC3EF093438C0656365AF02F6,SHA256=26B1A978A5B9B8C93FE99545064B9D0AC04EABC2B855E2667965E2B0F870D695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:28.224{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6011D2F51F2ABB093B9CCC3644C23EF3,SHA256=F8A4F416D4DA37FE2DC52A25CF936EB3CD211DFBCACF8B621B281EFDA13A452C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:28.032{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93A9F5B73250FF274B153FBA845CA34,SHA256=625DB7603DF506C0C20E89BEA1F1EBBF2DC87EF7239C01459A3534329F327E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:29.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AB158316A3B3BFD30257D2276E3E44,SHA256=382901819F7C5DDCC32D749FAF24DA8B340230A2C65C6827C02F501E10E97DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:29.063{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06959397646DD87F4590E5D553A16B39,SHA256=515983EEE3C276EDCFD74DEA786218B6DFDEC45E8B36DDB708EE28CBB9103CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:30.752{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-105MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:30.095{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50122491C0AC534816852580B3BE7853,SHA256=12779249C76C92196BA0290D1B7B46C8D503D9C48F02CE95CDA0B19265E53BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:30.411{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80658B42E59089E325F5F366A05BEEE,SHA256=05E6314AFBA7010AD78B403DC97D6A68E588F9F296DC6B7633C1029A87E7CF9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:30.217{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50987-false10.0.1.12-8000- 23542300x800000000000000052758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:31.505{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DC05EBDDFB9A000798D4D680265E0B,SHA256=2DA5CD0EFDE9605870EFC6704BF9B95B4A3E8578B66E9831E92BDEA0A3990932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:31.747{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:31.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:31.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:31.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:31.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:31.295{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C3BAD75F165380411B446D2005B0AF1A,SHA256=6AC4860D501004270FB7F624D9FB3EDBA6742037EFACE4198B022F944E2BFBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:31.130{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC0E4A13B426799D3B3B42DA7C92AA8,SHA256=CD52215371E6C22CD5055CEA95096650BAD24AE8C71050F67D2F78B1258552D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:32.599{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44363D200D3E08B77DDCAD86C3F8BCC9,SHA256=F693CC9CCA236B54B31DE6114BC8DC96861B3CD69B0E7BFB572EE8BBA84C442F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.873{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F308-62DF-5704-000000006F02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.871{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.871{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.871{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.871{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.871{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F308-62DF-5704-000000006F02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.870{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F308-62DF-5704-000000006F02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.869{F81F30E6-F308-62DF-5704-000000006F02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.399{F81F30E6-F308-62DF-5604-000000006F02}65247532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.215{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F308-62DF-5604-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.215{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.215{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F308-62DF-5604-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.215{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F308-62DF-5604-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.216{F81F30E6-F308-62DF-5604-000000006F02}6524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:32.197{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70701A574A792B183DE10B2A6C4717F9,SHA256=EEE83F80EC1B0CAF417AC6455F3C45D4D6786CE64F3A2CEBF0E562FFED4D36A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:33.692{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90FBD23A93947EE900128059B07D9BDD,SHA256=FF3CAA132BC83610F7526FBCAD88814955F05060509F61DF811D0916830F6EDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F309-62DF-5804-000000006F02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F309-62DF-5804-000000006F02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F309-62DF-5804-000000006F02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.531{F81F30E6-F309-62DF-5804-000000006F02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.462{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.299{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D396AA9B2FFB8FE164B714F3BFF1D609,SHA256=0509656A48EED157B26BEC91BD681D465A35059CA155EFF92A12F7F4969DD861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.296{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D51FA0CCB25C663FFAB18F53500459,SHA256=F7643DA056857DDB76C0700E9B8F2BDB0AD4D828909090E09B64A371FBE32BD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:30.187{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64907-false10.0.1.12-8000- 10341000x8000000000000000276089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:33.046{F81F30E6-F308-62DF-5704-000000006F02}53127576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:34.786{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F82943F27267142578788DC932F48DE,SHA256=D43FCB6B7CA65119F5735CBC98AA3B2F791A7927AA82B8B96C14BC79B3A13366,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.876{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F30A-62DF-5A04-000000006F02}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.876{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F30A-62DF-5A04-000000006F02}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.876{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F30A-62DF-5A04-000000006F02}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.877{F81F30E6-F30A-62DF-5A04-000000006F02}4820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.761{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7529C3DCD6DF43033DE5F7D9AB68AF34,SHA256=C1C810F6196115EAC8782247041B1D9F1B710B243CB1123263C2F61A0DA2DA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.477{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4707F6CAC7C03C8CC21B6919E90315F4,SHA256=F254295A1E03ADA253B25668F4FAFD34421F33A736D97A75A4AE913B09507D74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.419{F81F30E6-F30A-62DF-5904-000000006F02}48046368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:34.005{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8A016A41CBE632DD6DABE30EA7DB60DC,SHA256=4C37565EC11934721CEA39326AF6B929C0404FA79A9DCD1E095408C849B67DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.214{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F30A-62DF-5904-000000006F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.214{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F30A-62DF-5904-000000006F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.214{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F30A-62DF-5904-000000006F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:34.215{F81F30E6-F30A-62DF-5904-000000006F02}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:35.880{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFB928CFEB8602780DB8B52C6814E9C,SHA256=6280D6B8886E048B879755E1FEEABB3C7E252E31B54555D3EFAAC4B876E8C67E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.560{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F30B-62DF-5B04-000000006F02}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.560{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.560{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.560{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.560{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.560{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F30B-62DF-5B04-000000006F02}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.560{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F30B-62DF-5B04-000000006F02}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.562{F81F30E6-F30B-62DF-5B04-000000006F02}8052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.476{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81469A66FBA350159D4D48AD52DAE2C7,SHA256=E678F8CB75FBAFFAE355C72293DB667D6F5D8EF6BD640A4BCAFEECAC4DD3C875,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:35.045{F81F30E6-F30A-62DF-5A04-000000006F02}48206672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:36.974{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE848311CEE7B37C03B5F06EC6AD8052,SHA256=13DD71E27F635A245117B1351EF00CB12CE9168415276449CE3617555DE07685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.497{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F0FD84F6D9486A923AF72B263B1459,SHA256=5E9E21CDE8F7448BF0D03AEE321EE539AEB3C1B53564FF7A84575C94CC5043BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:35.295{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50988-false10.0.1.12-8000- 10341000x8000000000000000276173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F30C-62DF-5C04-000000006F02}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F30C-62DF-5C04-000000006F02}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F30C-62DF-5C04-000000006F02}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.229{F81F30E6-F30C-62DF-5C04-000000006F02}8180C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:37.543{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3213886AB96368BD5C2826DF9D85F7F5,SHA256=7FBD72996DFDB522B9BD7EC3258A4311FB6858227631A42081C4EC4A572454F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:38.590{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08B9BA16AC88891D902A215715D715E,SHA256=680D639A473673A59A64CC28B1ACDFA9E6F4210C485FC25F3A3E5C2DB2DB7B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:38.067{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B107B48E2EC740144DA286DBFF29820,SHA256=30E569EBD71967D726D11BCB5A5150EEB91FBC495C422478844D8346DC7C27EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:39.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F6EB922FDFBCCD6938C2CC64489B81,SHA256=D67390F5585B0199F9DBA01A53952096C878B04DE5082426340AEEA128F00A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:39.161{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6310FBFC2B314F2452AD0A86FE5D33,SHA256=5DB1E2CB5CC500999AF1E0D6800F569441531C76B2015665560DCE0208EEB07D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:36.154{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64908-false10.0.1.12-8000- 23542300x800000000000000052769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:40.255{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11318B3954A19DA308AF546E1E491D9B,SHA256=11194D01BC1C68C53169CE4F58943AA6BC80F10EF5F0FEF4B09C2291332F970C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:40.657{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAB79B5E7306E98711951CF385ADADC,SHA256=34B4A575DB01550B598B01DDEF940E44525B3FD7E69E3F800E437E69DD69F164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:41.349{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A3818CF5F53F6892C1153943CAD731,SHA256=683D25B7DC9B27B0515E99AE916B9A4153BAE1C4C196701393FCF1544BB73A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:41.687{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15937791CD6FC4915BABFCC55B32017D,SHA256=9F38339CB0499526AE966E03BCD606BC35CD6875A77EC71987813F1E121E5F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:42.722{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3C2A04F1E363137A46F7E108F162E3,SHA256=054FD7D7562F8D497FCF6075A35213A55EFA84677886BDE4F73CC3173B7520E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:41.264{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50989-false10.0.1.12-8000- 23542300x800000000000000052771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:42.442{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7151DF0E74DF1C83CAB7CB64F4ACE8E9,SHA256=2C116BE78FB655BFD4E57A9969D2838938C6E3B33F80D45062A8C66D25777072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:43.868{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7032F06CD0A17339CFCC8ECBFC4EB92,SHA256=B9B8314C57D31D5E7359216958CF7F6F4D1B1245768469A93216ABF8B56CD17B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:43.536{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5897AE08FE55AD96BD4A4A277ABFE4A0,SHA256=48B1A5A3E322C4D0F204B898B50EDE7D1A71DB8C647D0B1CA18C9369EF7049F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:44.920{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499F633405920A82764B9CA8E783610E,SHA256=F0557E58F41C09A58A48E68F9BA8EB69B7E8F652489FF08D5D9D64C25D883CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:44.630{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8B60B95D0050CCF21C24A01FABD3BE,SHA256=FB5EC885A201D14C443ED886DFB59A2C25DFBCFF1EAD9984CA4F6A9B9719D165,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:44.720{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 354300x8000000000000000276183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:41.180{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64909-false10.0.1.12-8000- 23542300x8000000000000000276186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:45.966{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4201F71D2FC1712B09EB22F5918476E5,SHA256=8609C3C5B4600419960727A797FC85B1C1A6F46FEC17CC8D890EDCD3F86B3A7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:45.927{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:45.724{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3394394D9D8C2F0C7C3F2577DD5E78,SHA256=5B70FB0E5ACD734BF073B913D64D354A5BB3379BD94FB0185914623DE64E92BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:46.817{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DD200A7097C8A673C036184D3E31DB,SHA256=8F8BCCDE356A19A4EE078A4E1B756FE1E3CD4661278198B533B3644D88355323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:47.911{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A2548233E5419915C28619774E02A2,SHA256=63A79B00C24E5765B9BF8E8877A328B02013487573E10179B4D462BF02D0BE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:47.849{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D70AD7BACB9F62BD3E78AB05CC30400,SHA256=45DC61A9252C1A82F5682AC371E6E1249059CBA2CFDB47CD06DB60A85C56389A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:47.017{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD83AFB3BD6CDB37412E3F3A21FDB01,SHA256=8FFD8CA605419C17F2B142C2C897FA8A0B79601CAA8792AFB196E7570F150EDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:45.983{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50990-false10.0.1.12-8089- 23542300x800000000000000052781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:48.895{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26EDF8010DA7E22391617AB82F2E332,SHA256=8597105E514A555DC4390C7F89A451C7A1EB5035DEE740C7F0B8442BBEEE7BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:48.932{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:48.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE88B6F5DE9FBD37B7C2EA2FE53D5BCB,SHA256=7C8EBD6E25FC8844DAA5843731E98C6E1AAD701530721EB53C38EBFAF13A8E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:49.989{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA994D616D25225868BE18592325712,SHA256=4200E1187BFD31B86395E253DCF92FDB1A930BF6429FDC3FBDB03CC29AD6D12D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:47.186{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50991-false10.0.1.12-8000- 23542300x8000000000000000276190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:49.216{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFE8B29BBD277BA133B3C60ADC2177A,SHA256=138DFFD8696072C32CBE8A59C02DC24EBC0FD5978ACCA1E448429A9ED1EBAFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:47.927{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64912-false10.0.1.12-8089- 354300x8000000000000000276192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:47.193{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64911-false10.0.1.12-8000- 23542300x8000000000000000276191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:50.262{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A98DFC9E0A88237EE5D9DB3AAE7DA24,SHA256=99F8F4464F5A591703C024648C54FD2EC2ABF8382CCCA99CF10422C7A18F7534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:51.083{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2D2709F91832B8D2571F0E3634BD34,SHA256=54F845A0AB97DE0B1F5EB60AD1057A79598373E4166CFF4F7CDA67E000FCA9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:51.382{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D201ADBC448453A9BB9AC0DB964FEA31,SHA256=313D50B36AC8E04EB729CB608597A7E33668E71E9E70D375BEA4C60431106147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:52.415{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10750C456640A7CE7F8B7EA69B14DA5F,SHA256=E3450E49ABDAD3A7ECFE3BCF48CA0E60B4D83AFE4BE600B76738AF8467C5514E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:52.177{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=782F95F683C39691425EBD93FF565925,SHA256=8E073CCA0AF5C2EEF893A2B0AB6162F0B788F09C2965DA4FEC9A0928938133DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:53.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF2C78B874A359877F181ACF9E4B395,SHA256=658BC710264345B29A3EE519BBD04734B1551293EC66FA478081F4E70722D54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:53.270{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B213DBD35ACFAAD56D5859D76626D396,SHA256=E9C8AEB9406015A6DCDF477843F5C2662B1BC2BC007DBD7D09C4E40B21C3554B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:54.480{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54AE4A0C3A3F3DA9FE023CC33705E765,SHA256=907D1A87348ED30633C6938A0E8FD5DA9604DF2D9742D1DB6C6E0ED52AD006A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:54.364{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939C32AAB4EFDB0B025EA9016CFA532D,SHA256=55B7F082CF6587C4FF497CC8A51718C4DA82AD925833D3B2F9AEA49A02E36E55,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:52.240{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64913-false10.0.1.12-8000- 354300x800000000000000052787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:52.279{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50992-false10.0.1.12-8000- 23542300x8000000000000000276199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:55.645{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE5CC85B85E7BA1FE08DBF85052EDBD,SHA256=A250E8308D6E32F3B8EA55EB25FB7A280B9D4447193EAE7B2BECCD75393D6BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:55.458{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2953F295F3A8533EAB359538D107ABFA,SHA256=410BB8EAF42A6128EF69E619D3275EE28A911A6B6D9FCF2B4282F8096E9725EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:56.759{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389549388E7EBD2FCD9211B43F0886DF,SHA256=46B2ED566C40AACC7927B449423FF1A8B607C98A50092D1EF250225DDC59683C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:56.552{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C82EF945EE5ED108B452188A1AF6CF,SHA256=AE30A1797BBF81D40025B4E3297DCF02DCDC28C2EC4F282A1AB9C383AF729D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:57.860{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D720B0AF303965A35128119893C40F,SHA256=BB931D133F573003EED28FCEFF9940BB32B410486D1A0AE01E6DAB2C8A3901AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:57.645{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179F8FCB31736C2798ED56DA8FF281FE,SHA256=9CCC608905E61E7034150FFD91E9F4CDDC5F8D7406B04FC283FF4BFF94A2A895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:58.977{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB16B6DC0379BFE74DCFC03B7147273,SHA256=489CD7AB86F888DAA37228D320AB5FF58A53ECFBF962D1CF9023E9D321170DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:58.739{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63BF595C0951AF8E04FF1A1B6D459C4,SHA256=82CBA41E758A5AF71AE96778D13B0B0391C2BA69C2C4D95EF2D3345546581F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:59.833{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488F54E5349385CFBE98B1B23E463A5C,SHA256=29D59DB0D022E91C675D267E09C9D92BCB989B560A06E8284E15C414247C273D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:58:58.279{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50993-false10.0.1.12-8000- 23542300x800000000000000052795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:00.927{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77EF834A5EC9DA98FCA17E042D6FBEF,SHA256=8FF4352373A6E503CA8B0DEAA79D6A9AF58B44C8348D2C3FEDC2E84B23B42CB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:58:58.186{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64914-false10.0.1.12-8000- 23542300x8000000000000000276203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:00.112{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92551453C8120730329A3A95F184621,SHA256=7E19E9A3C54B0712AFFA1758E34DD7BC5385E14F1C9E19178518B9DCDBD0A966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.557{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DF52C837D8FEEC18D632F2DACF5CDFDD,SHA256=45AF56451D2AA9FBC975BA38F21983E8B7574996DE44AA41D3CFAA69B2792892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.157{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D621143430A94147D92C7C89CA02CDA8,SHA256=BACCE294539950B509AB0AA79709A3194C5296209272602E284B3269795DB4BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:00.302{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse167.248.133.60scanner-09.ch1.censys-scanner.com45694-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local5985- 23542300x8000000000000000276207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:02.209{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1639CDE77022F958B783065215E37F,SHA256=D745C3F209DC84E6E8F87D6365230DA2A14F9010C86C71B09415760D010704E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:02.020{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51485EF7BAF578E0D9DB87571B57140F,SHA256=DE8C3CC1F3F59AD212789A2B24C23F1A4B80A306E6675B276A92475798F55220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:03.114{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6CD0BDA503CA273707853A708E5098,SHA256=42DD40CB09036005502030B7FE9385AC42B957C7ABBE57642F3282408BD103E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:03.808{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D134279F4DB15FA2F9F8EF66548A11E,SHA256=04DCB0788C0BB5346EB7D5D8A1B69B2AF7EB5CDC36525913441733D84CCBEBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.322{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse167.248.133.60scanner-09.ch1.censys-scanner.com36584-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local5985- 23542300x8000000000000000276209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:03.355{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1882A83292170917E750CF400DC895A9,SHA256=5C8973A9BB7442F896E3141363F49534A89D1CA72CC8CED083FEE5B1C35AE7D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.468{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58950- 354300x8000000000000000276214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.468{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local58950-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 354300x8000000000000000276213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.367{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse167.248.133.60scanner-09.ch1.censys-scanner.com37256-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local5985- 23542300x8000000000000000276212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:04.391{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C1E77098DF6042460D9FB204C53B92,SHA256=4555D09FC03FB9B8D2F6C7254B6BB5B1803634034DDAFBA2A04C5420BF195F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:04.208{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AC3F32C0067A6DD59C403B9ED863FD,SHA256=02EA5C57F78EAAFF97A8BC9F6761E59E5E6D9355A460DA401EAA69881CED3F78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:02.446{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse167.248.133.60scanner-09.ch1.censys-scanner.com56624-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local5985- 354300x8000000000000000276219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:02.409{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse167.248.133.60scanner-09.ch1.censys-scanner.com56130-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local5985- 354300x8000000000000000276218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.682{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64915-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:01.682{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64915-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000276216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:05.437{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A1CF7EF7A10E79EB9898177B88A6D2,SHA256=564F650EF86A5B5560717DFB1D58DEB266E4DD9593F5F043A2E7B54103DCF275,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:04.107{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50994-false10.0.1.12-8000- 23542300x800000000000000052799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:05.302{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2A994135F2D66ABF467C18CE54059C,SHA256=5D9F88BDE4B619B1EF86E4D50ABBF318E89B353B0AB7A6BB452902AB5395E33F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:04.117{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64916-false10.0.1.12-8000- 23542300x8000000000000000276221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:06.491{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD5983292BF59C9C96CDAE9EE2BF2E9,SHA256=2FF1A8F469475AEA9265F2F39A522DD75CD002B9DD25D20980B43064A9CC4C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:06.395{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C74C9622735DBB64B7F63C5F2BD4A0,SHA256=CCD8E8543A07CF4D0DE75800C6F824E0689EB5943AA56F86ACFE0AF873F59696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:07.522{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF794935AAE70E8F9F85FF447AC0105,SHA256=3D5E41F91A3310F82C033AC639D82877614F3B18A5026579FA9FC8A17341205A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:07.489{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB37E913515CD9060719ECB36C312340,SHA256=D3AED3D75FFAE00C5D1634626E35202C8466B142FAF3243276E684EE2885A04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:08.652{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9993B4114C7E6B9A081D9187A2B1E8E1,SHA256=0A9D8C7369F068F75DECB62B8BCDC35264B04C117A51693B34F2D1A803FC2B63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:08.583{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427F1786E39461168708F6F03C757338,SHA256=6CB3CF2B67A201C27DFBB40180A71DAD91741AA9ABF434D3E47E141433A9CFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:09.705{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFAE5ECB7EB3586DF9185BA73CF6EAC,SHA256=4FDDD7954AD5447CF1E230C32C0A1E00F46D15A01A18763AD50CEDA1EC9669A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:09.677{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994C92395DAB2538C6BFE23A0246C62C,SHA256=882E8215EC5634BCC1D6891A514DA3FF5836F76746560A035A437FE2A5C9AF76,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:09.264{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50995-false10.0.1.12-8000- 23542300x800000000000000052805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:10.770{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB5A790F8D55683EE0BE0D8F0B66F58,SHA256=09C0DBB6C8E178838E48665433F7392B1614AA37162FB2D5AAF356344864E4FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:10.750{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1ADD37306A21640BBA00661A2033F87,SHA256=637A6301A650EBD16CF1984FC66C78EF14654A335F0CA589A2963AD566750A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:10.304{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:10.304{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:11.864{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF0E21D559B16BFC858790DA560F7C5,SHA256=F359B1CCF38002E92CCC170AC7B9BE63ABA0746BBCF57EB75A5CDE7B36C5373F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:11.787{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2931FE9561747B0212F25A68D7722465,SHA256=0C8F7495F7728D5BCBE8BEA5419E09F6194883427A5A5FB225AD86B47EE663B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:09.130{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64917-false10.0.1.12-8000- 23542300x8000000000000000276231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:12.917{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DF056FD38B97DCBAC96CDD7A4A2657,SHA256=F3E260CC1168314AB975D2C68649C5BFF87E50B2A3F45C548C156C6187029CC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.864{53069400-F330-62DF-7903-000000007002}5321016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F330-62DF-7903-000000007002}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F330-62DF-7903-000000007002}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.677{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F330-62DF-7903-000000007002}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.678{53069400-F330-62DF-7903-000000007002}532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.411{53069400-F330-62DF-7803-000000007002}8081816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F330-62DF-7803-000000007002}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F330-62DF-7803-000000007002}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.177{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F330-62DF-7803-000000007002}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:12.178{53069400-F330-62DF-7803-000000007002}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:13.965{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE926F989E38B1AB24F39494424279B,SHA256=329C4A942EC6675EBC4791A077F65668292F481856282C8D3B68B269CFC19E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F331-62DF-7B03-000000007002}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F331-62DF-7B03-000000007002}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.817{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F331-62DF-7B03-000000007002}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.818{53069400-F331-62DF-7B03-000000007002}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F331-62DF-7A03-000000007002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F331-62DF-7A03-000000007002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F331-62DF-7A03-000000007002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.320{53069400-F331-62DF-7A03-000000007002}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F34FDE6ED2728DCE1CF4DCD6E5D866D,SHA256=C8ACA45A96BA8F7354B14AE7E9AD4418ACEA192F33538CBA7BC6A82728AD9496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:13.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A54DDD9C0F3F4BABEFF3A3E4E4FA85C,SHA256=A2C2E1FF16ECB4B24C6C7F8F463D5DD5C5BD19D5D7C5AEF48E35B67A9B51159F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F332-62DF-7D03-000000007002}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F332-62DF-7D03-000000007002}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.989{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F332-62DF-7D03-000000007002}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.990{53069400-F332-62DF-7D03-000000007002}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.489{53069400-F332-62DF-7C03-000000007002}39641256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.458{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001D67692EA70D6E8D0E3A0A45EC1949,SHA256=C19648910786472F4042581514EF7D446B7F00D00E4722BD0093FA6B5E0B4A30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:14.017{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:14.017{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F332-62DF-7C03-000000007002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F332-62DF-7C03-000000007002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.317{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F332-62DF-7C03-000000007002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:14.318{53069400-F332-62DF-7C03-000000007002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F333-62DF-7E03-000000007002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F333-62DF-7E03-000000007002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.599{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F333-62DF-7E03-000000007002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.600{53069400-F333-62DF-7E03-000000007002}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.506{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A5B22B953625F04239B781F7A61962,SHA256=8FCB9B9752C64D5148FEA341FFC50ECB90C3E0B1C5803152470E6C7C66CD796B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:15.666{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:15.665{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:15.085{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39971111EEADBC2EA1200E05B35193A4,SHA256=4740AB6D91F8186A0829585B06CE0B542462C5E093C38796EFCEBF88B81CA5E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000052892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.177{53069400-F332-62DF-7D03-000000007002}17001516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000052908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:15.280{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50996-false10.0.1.12-8000- 23542300x800000000000000052907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:16.599{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97319972166AA8EADF0A6EDD7C130B58,SHA256=958352536B8D9DE2F7810E798D038B2258730AFA4ABDFA418E99F3C10E35C467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:16.131{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82C5AF070D643FE2B2A7377D8E486F7,SHA256=F47A5AF0A9B54F1ED87857EC502B1485D56B343524ABD54E242220B203E3D204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:17.694{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D030367D2218F8EE572C9386EF091302,SHA256=1346725C7DE1D11A000169264D8C49A55EA74ABCF54D2E7B7C7A7600694B4C6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:15.157{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64918-false10.0.1.12-8000- 10341000x8000000000000000276241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:17.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:17.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:17.263{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF757EB7DCF7B87290D8DA759E51058,SHA256=11BA150C151F4B2D404F7499CB1181EB0981470CB3176993C214E54F2AFBFE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:17.020{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=05E684A7622DE15277AE55E9AD39507C,SHA256=6789681B2D3A6734D74FD7A4D117879E1CAFC499E25BCD8AC4EE8BF0365349C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:18.786{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99D0F1E2C111720A5F4A2087CC8808C,SHA256=71E1E27E05B2C136C19A1090AA19040EBE452B72AA9EB81908841C0E4B6190CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:18.313{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F553EDD0DCB61C88CE3C25990B3F106E,SHA256=3A8FFA802605977F880E4D01EDB9926B8C239B8EF2981B228AFCBA6CBA79C697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:18.055{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-106MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:19.878{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7898DDF2CB1350816AFCEBC89B94B6,SHA256=3D840D69399DD91F9A86C034248C3AD99FFF93BDB788F736BB9135AB091B7923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:19.361{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146E571125E0882C8D161B785633B769,SHA256=36FF70529D66437AA7F07859B4088E82E30E757D189FC2A21F51BBA43B5847F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:19.068{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:20.972{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7862610FE3DFDD611295201B858D884,SHA256=B4F46840F752D25F24767D46B514D7A33AF85EA4EF4B857289BFC561A25081D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:20.811{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:20.811{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:20.411{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A907ADFFE4BE143C63636DFB89889A6D,SHA256=F8F1EE5B25574F4B5BA1C208C5C00275BD9AE153B8A593A6B00D8CEA63D7A7B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:21.459{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEC526C3AD42A091D1E43D7335C40E3,SHA256=3CDA8E6A07FE77D41D16B3CD383EC3EAF991A1C439123CD9578903E174EEF745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:22.066{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F56C310D9DD81F5B2D058BCBDA3D96D,SHA256=DB5813AD9941D717D7DD6D3FFCF5CD77AAC4A738CE47589BDB79133BD81C9263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:22.482{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521DDBD56E113DCDF2A4A0DD1932686E,SHA256=1FBF5983C58BA634EC3DDBD0059DECE71C013B0517FAEF9DBCE6EE75BAEC4E5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:21.138{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64919-false10.0.1.12-8000- 23542300x8000000000000000276250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:23.528{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF57F1CEF64BE7F041291074AD7104BB,SHA256=C1C6D327F9AD25D720B17C099472B0C8733AE07CB259480D78F5FC285C887705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:23.160{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AEF0DD44A43D8BE13C85EA79C2A81D,SHA256=091421FC99950B69F273B77312B1A48AE391D16A2C8DC22E2645BA3F91F47458,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:21.216{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50997-false10.0.1.12-8000- 23542300x8000000000000000276252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:24.560{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F81A477620B8AFB0A2D0B411245FBC,SHA256=256BD2D0D2BF6397084E6810BA61099B9EA116A8CDADDC846FE771B7A6CC43A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:24.144{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC2026552C867E6B3310688841F76F4,SHA256=88850A9BB20867245AE60CC9342F98B822FF4ECA2B09FD604DC1928DE6DFAEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:25.610{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F07A5B0BA08F67F730F3C2821C7501,SHA256=82CE38773A106BCDB8338CA671FCB356DD71D335CA086152197A8F2D7961DD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:25.238{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1AEFC4F7740BE61DB99C0632F49FBEC,SHA256=C5033045D07BC9134238E5E6C512761F46AFABE05DF0AD9D59AF72C07EDA8A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:26.332{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AAAA1D733569A40FE3CB872C9D837E,SHA256=D517358F9BDDE0932CF9636F2279BF0CD29951E20AC9F4B61964ECBAFA2B57BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:26.658{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427B4724FDC41F04FEB0E7899428F88,SHA256=FAA3F474829EBB1EB703877D7D1916693C1617036F6DA850636A2A74FE4BD264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:26.478{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:26.478{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:27.425{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3396B736E5FE868750EBF93FDD9520A,SHA256=E6520966637DF91F608D626F12C44AA9FEB2A52C7C59E5576608521852957F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:27.708{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B49EA6AB7F870F33660D86ECF10B3E,SHA256=8B9D44FE8C1C5E6685B61EA37173A4EF17ABD4958B0099FBEB91A8CF8092D951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:28.519{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D84A69D42849F83637A834E088D3A02D,SHA256=16E92F26B9F32B1AA9F77131FBF621BA31DCEB305FA27702DE0EC30430022D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:28.755{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B96DFA7C2E6C46EEC5C00400D6BFF0,SHA256=EE5D3D65A94C086F3A52BFEACD5F91A0BB0F7D546E6FBFC67D6B5CA7FA339D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:29.613{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2567F8AAA56849979B02FFDB32354288,SHA256=BDB8E499433617F5D84CABF0706B3B5A3CCE0B330A435996A6E3921DCF63BA1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:29.837{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:29.837{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:29.837{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:29.837{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:29.805{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90988A20DDA4D9EEDA3183E2B5C2E79,SHA256=32FBECAE362FE430C41ECB1074774A5FDFBE723A2D32677BE8B7A54971F4B37A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:27.153{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50998-false10.0.1.12-8000- 23542300x800000000000000052926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:30.707{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92DE5AF21E2BE5A42A64097B65BCD93,SHA256=3EFDBB4EC190BF581A792BDE48C5A97706D73EF325C6A445E355E59676C90FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:30.837{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0D16CF98A93DE9C7F37CD72CDD75578C,SHA256=2E0DF42527C1C75DC67A29F8B4928E400132FE04E38369C16AC995509CCF6B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:30.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36F986E56450371F4CBEBC0281729A54,SHA256=575B4A47CA8C4DF83DDC7D7F38DB1BE417B516230D2B1FF4CCFE4A00160E9C98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:30.637{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:30.637{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:30.637{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:30.637{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000276264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:27.065{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64920-false10.0.1.12-8000- 23542300x800000000000000052927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:31.800{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF5EB12D7009C8F5E039D328E92ADCA,SHA256=EED0ED767018F67F3F57539A06D4263F61E14811D3FB0E34F4221F9A4FE2D0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:31.954{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AE0838DC9663A627BA84D6BC14BBD0,SHA256=77DDC4C34E4646117804782313F8B094540FB51BE942761378582EC7FA825D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:32.894{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866B9594912304277BEFB24F4C2FAAF7,SHA256=8EEA6A8EAEADD3E5087EF472205946E890B7A51EA3E74153AE2AE8EF61CDA77A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.890{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.890{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.879{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F344-62DF-5E04-000000006F02}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.876{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.876{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F344-62DF-5E04-000000006F02}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.875{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F344-62DF-5E04-000000006F02}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.875{F81F30E6-F344-62DF-5E04-000000006F02}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.374{F81F30E6-F344-62DF-5D04-000000006F02}81888128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.280{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-106MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.205{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F344-62DF-5D04-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.205{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.205{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.205{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.205{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.205{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F344-62DF-5D04-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.205{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F344-62DF-5D04-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:32.206{F81F30E6-F344-62DF-5D04-000000006F02}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:33.988{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEF7919DEE551F580285F525AF10EEC,SHA256=D742B78EFB282E936808CE5AA16A98C6F4C370968D7340866159E75EC2909EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.864{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\rdpbus.PNFMD5=C7E7675CCA8BC74CE6297D150E63EE99,SHA256=CEACBDCD8487D062F0B42B6BBDE7D83FB8F24893C7552B1A7F33F067CFA8F948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.847{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\oem12.PNFMD5=4790C230F12AFC38A4CAFF14A1DF7272,SHA256=D77653024D7FFBA5FD034521B18AA9C19426D9FF9217281A458170EABA310901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.847{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\swenum.PNFMD5=5A6E45AEC4CC039D3A415E214231DEFA,SHA256=9DCCC02DF95B021A9DD8D12EE52EAF74871B0A0D60512D6B44C09037C1E49F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.847{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\mssmbios.PNFMD5=75E364B9B015E1A6AFE7FFCB5990469F,SHA256=CB7C5903C28A7392DF2689D73B5D575217AABE838262A82F0914E8FED598B6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.832{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\ndisvirtualbus.PNFMD5=F9CD95AF06BC465A8D4272BB2B3F420A,SHA256=96EA6DA07E3FF36608BE71F8FB0B18596854B928D3C24EBFAF339EFF9DC283B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.832{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\volume.PNFMD5=FF02890AB9C3D5953A268BB0CD8B087B,SHA256=618B916CB4EFFE46CD9C3C0C434B48AAF392D818DB58AF4ADC407CFE8025669C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.816{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\keyboard.PNFMD5=9F5F494D7E1C38EB2886453B3213F068,SHA256=E5FF90E5E239BCBF28DF02471FE793CE0E5390D43A053C95AF348B898325E075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.816{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\disk.PNFMD5=4EFFFA1A69CC68965A020830F5849EB6,SHA256=B483BF142AF92CA4090161655EEB82EBFAE5BD835896B15A5680CD0824CC2C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.800{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\monitor.PNFMD5=4B1AA6B48454F7093A39E6146C01E770,SHA256=BD38CC7C632E938B4BB96FA9EB6857CF76C0519B4A19CF08B00BEC78ED2200B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.695{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\acpi.PNFMD5=D2147EB9AB56260AE66F1B62561C4D90,SHA256=1DA40926EE7507E2DDE5E46EE57B9B4E26648EEAF6D3788493262011056BDE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.679{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\cpu.PNFMD5=9570295981697916E5067712FA8B62AB,SHA256=91011BF8258AAF3E316BB95771B27FF26F966570D16010C72153C1C811A14537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.664{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\msmouse.PNFMD5=C43AE2EA2739494ACE0C5ADCACB414C8,SHA256=C68E32C6442A044521190EC157625B12EB7EF02189FF66A137C505FBB3F20820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.664{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\pci.PNFMD5=28698E95E8CC8AFC6D56E2E07EB2610B,SHA256=44883203CAC1E7EC967FA6324CF0E3E89793CF41629A1DC84891F433A7F0CF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.659{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\hal.PNFMD5=1AE18AE18478C0C74BB2484809574106,SHA256=F784BD502E95C4B00999FE371353C95ACA6DECCA34B33CCAF2CF90932AFFDEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.642{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\kdnic.PNFMD5=E4B219442C1B46FB541CDEE80CFB32B7,SHA256=FFBC4D1F71A7EF71C4DB66EBC143107340DEFA3BCDAE8F1A8D39B3726B6A8E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.642{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\termmou.PNFMD5=B8728075D6CC0D7303080C70F669FBC9,SHA256=C10BDC17DB7EE4F27E20BF5E33DF75330750CC37BE76D5A1A038AB2C4CAF0287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.642{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\msports.PNFMD5=85336197745CE2153C6DC79930522B2A,SHA256=DF24C9268E228C96A8758DC3FB1C942A42F486DD4545240C96BA6B5F9928FCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.628{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\display.PNFMD5=F07C2D97E6CC624A6D8CDB44712FE3BE,SHA256=4FBFA58B19D9DACD095C40635C16E1BB9C1C0E1048F288153CA96C5383EE62A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.611{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\spaceport.PNFMD5=6B8D730058E48F32DE74AA51F9DD6A29,SHA256=CE4348DA64DAFDE038B2F84C1E4F6558B58DC4E684C2520916A6F570C2B80EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.611{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\vdrvroot.PNFMD5=91BE29B7A3D405FC7F7FBC09D8BF2287,SHA256=D21192B1E4CA85B52C43AB1B5294659F988D4B6A3434BE9282571DE233523610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.611{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\compositebus.PNFMD5=0A3A2D8379E05049459BABBC291CEE7F,SHA256=7444ED3C4BBDA8C1AAB595CE96ACBFC07C37630A0178CA50D80BEA98891A54A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.595{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\wgencounter.PNFMD5=CE695BD1829730B093FEA673259D09E4,SHA256=823F288089310EB88FC19C765047A077ED36B7854D4FE3A7691CAC54B4F6EDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.595{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\umbus.PNFMD5=E88FC106CD96C854DA5B2EA1CBAE854F,SHA256=B401A51166C0379C3A4016CE762C35272C3A26704298122D3A9C56E6281118D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.580{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\nettun.PNFMD5=CA6F8FFB53F3EC32AF1B1030C84E64AD,SHA256=CACEF094F4E94E18FDBAD3F317C4D53E54CE18C8D1203A079D8217B4FAA4C082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.580{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\c_swdevice.PNFMD5=42C7E748976D3C4CD2893613CD1BFCFA,SHA256=9E8D5CAE6B962FB2ED95944C2126E0456DAC09052C6688377A5F85209C94F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.580{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\basicdisplay.PNFMD5=7307B0BD93CA5D8CF3495ED365FB46ED,SHA256=B34954552F4C03334ED968F1A7FA9AC0F7F7AFCF8991152BCEC429D6A2B36E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.564{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\volmgr.PNFMD5=DA0BF4FB11B676560E3696E7E7A6DEEB,SHA256=7783CC4B3E5BA054C5C9E65463C57FB7F3974C9CCCBC6013F091406DE7C60E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\printqueue.PNFMD5=E830C57E1528BF3EFBD01CEBF491C95B,SHA256=66B94EB86F943424AC984E690F1A907B9FA79FC81896845A4AFB751D7F27EE08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F345-62DF-6004-000000006F02}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F345-62DF-6004-000000006F02}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F345-62DF-6004-000000006F02}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.543{F81F30E6-F345-62DF-6004-000000006F02}6852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.542{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\oem19.PNFMD5=B66DF374BD2CED72B0A33181CEC7639C,SHA256=F406072879FBF4C75652485DE341F28F1339FB61FDCFCD6E3606B47B525F960C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.527{F81F30E6-F345-62DF-5F04-000000006F02}7520NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\machine.PNFMD5=2B29B054D035EF2048A3A251ADE113C0,SHA256=3D0361704BAC4AE1BF4521759A6E6CB4249DE27E80554CDE68130AF9DDBB120B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.498{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.480{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-F345-62DF-5F04-000000006F02}7520C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+266d7|C:\Windows\system32\lsasrv.dll+2781d|C:\Windows\system32\lsasrv.dll+26555|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.480{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-F345-62DF-5F04-000000006F02}7520C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c0af|C:\Windows\system32\lsasrv.dll+2649d|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.433{F81F30E6-D97C-62DF-1500-000000006F02}12288036C:\Windows\System32\svchost.exe{F81F30E6-F345-62DF-5F04-000000006F02}7520C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F345-62DF-5F04-000000006F02}7520C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.379{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F345-62DF-5F04-000000006F02}7520C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.379{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F345-62DF-5F04-000000006F02}7520C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.372{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.371{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.371{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1bc2d|C:\Windows\system32\lsasrv.dll+28b4b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FCE6AC7DE2979002565DB48034AB553,SHA256=AB4768538F6BEFF77D66D77B2779F25E0EC1B786A9BC8753F04FB5E2B80E7CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.292{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.206{F81F30E6-D97C-62DF-1600-000000006F02}13123004C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.031{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A99EF73FF0CAE6B9F65025A7E04E22,SHA256=F8AC4438C4BB10A080126914BDF8F3ECC5F87FB2CC2D5A9C1708BFB405F73A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:32.247{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal50999-false10.0.1.12-8000- 23542300x800000000000000052930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:34.019{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8FB20DDDC1C983A56366615D2A548EB4,SHA256=08B62FF22829BFA9D858CC0F03321B30A1A483D5A2962FE7A4D43B10A2C8FCED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.882{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F346-62DF-6204-000000006F02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.882{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.882{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.882{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.882{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.882{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F346-62DF-6204-000000006F02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.882{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F346-62DF-6204-000000006F02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.883{F81F30E6-F346-62DF-6204-000000006F02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.782{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7E07CCA919F550D2EF22D9EADB492D87,SHA256=459E7AA99E583AEDFD79A5E1F013957EB67E877CF4A4C05B5E192FFAE9E9452E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000276362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:59:34.545{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000276361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:59:34.545{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0064cdc9) 13241300x8000000000000000276360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:59:34.545{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8a0ef-0x8dc22845) 13241300x8000000000000000276359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:59:34.545{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8a0f7-0xef869045) 13241300x8000000000000000276358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 13:59:34.545{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8a100-0x514af845) 23542300x8000000000000000276357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.382{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA069607894588DF819C406BA2C361C,SHA256=33C03623A9F565B4CBA08E476B59146C07D41FC602AD58C65D59DE7B45CB440A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.365{F81F30E6-F346-62DF-6104-000000006F02}73767088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.214{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F346-62DF-6104-000000006F02}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.214{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.214{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F346-62DF-6104-000000006F02}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.214{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F346-62DF-6104-000000006F02}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.215{F81F30E6-F346-62DF-6104-000000006F02}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:34.083{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000276346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.997{F81F30E6-D97C-62DF-1500-000000006F02}12287268C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.997{F81F30E6-D97C-62DF-1500-000000006F02}12287268C:\Windows\System32\svchost.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:35.082{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2D360A07F38717F9B787460A85552D,SHA256=79E9DC83AA495F39B15338152645A6CCA64A7E115D940BBE580D06581CEB5E05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.712{F81F30E6-F347-62DF-6304-000000006F02}70806656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.563{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F347-62DF-6304-000000006F02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.561{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.561{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.561{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.561{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.561{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F347-62DF-6304-000000006F02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.560{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F347-62DF-6304-000000006F02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.560{F81F30E6-F347-62DF-6304-000000006F02}7080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000276374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.055{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64921-false10.0.1.12-8000- 23542300x8000000000000000276373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.128{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79AB5B226A6A286E2F06F55ED2F4A67,SHA256=6720AB70BB07A22146B37B73A3104D29A620DD95C5739521E57A5D9AD658AA26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:35.029{F81F30E6-F346-62DF-6204-000000006F02}67446552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:36.177{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE351F4124A66177591945B65FF0B9A9,SHA256=7F95AA68612C6C5F26764B71AE150861AEEB2D327F2841AAAD5E9A928241872B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000276395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.482{F81F30E6-F163-62DF-1F04-000000006F02}2264ipinfo.io0::ffff:34.117.59.81;C:\Temp\dcrat.exe 354300x8000000000000000276394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.474{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54314- 354300x8000000000000000276393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.474{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exeATTACKRANGE\Administratorudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local54314-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domain 10341000x8000000000000000276392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.243{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F348-62DF-6404-000000006F02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.243{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.243{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.243{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.243{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.243{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F348-62DF-6404-000000006F02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.243{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F348-62DF-6404-000000006F02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.244{F81F30E6-F348-62DF-6404-000000006F02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:36.164{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B55EAC782F8ABEEEB8589CF78E2C8F8,SHA256=3D4C0910CE62F0362DF97A323C1DA3C5201DF4307E6DAD42BECDC0CBFDBDB5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:37.270{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF14BAFF4B7537C480DB8BD0BBC0B009,SHA256=A50128C76313095185A8F5ADA487C12C9C99A96832A036E18F95569662FA72CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:37.780{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:37.780{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:37.196{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB9E8CE565D7CC8B074D96A05C48388,SHA256=A8247C45868102418C604D7B8F4F6BEB78EA063EE2AE1197DF067F4997070BC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:33.488{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64922-false34.117.59.8181.59.117.34.bc.googleusercontent.com443https 23542300x800000000000000052935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:38.364{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E601CC4FD39636DA83A5332E1987C4B,SHA256=C4D6A499D505A9DA86543CBA659D10C83C139F5DCB6CFD4728E0653A8B5533EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:38.227{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A26F7673208FFBD58AD03EB8FE88FA3,SHA256=53FAB728F17869E70258133B4595F6D37CF141197959190721ABD3CC37D97EDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:38.248{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51000-false10.0.1.12-8000- 23542300x800000000000000052936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:39.458{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE63EE9BD06CCB4D28E376C6F459983,SHA256=380C42162EA7C0CDAFF56624A08994354CD584D756EE2C9A938CF469DD3A8386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:39.280{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E890911CBA0D4BC51DB70C8E96502F1,SHA256=DED617E58152DE726F4C889CDA0D350351D1B582EFE5B164BED00EAD8A7909E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:40.552{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB96CF5551BDB810BAFC019FCC13B93D,SHA256=C2E569B91F91F07BE710A32CFC6C199C7C675757EAAE084BEB147B45F73F9DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:40.411{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165A160EBDB0DA7B25DA4417DC96C26E,SHA256=CDB705A404BEB1C1444BABEC1BC4C691E590259113F6E0474BFDBCD43ECCA5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:41.645{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB7C176081303DB2C86671D3F673B97,SHA256=D1D7DF79D0463FAA0646CA2057B982E38F862411D545F6C6E5D548F94200CB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:41.526{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFC34D330AB165AD2C88F2A1DCF45EC,SHA256=17ECBE8AA9642B10BF094D054BC2BF0F7310DF662BE379F2E74CC9CDE12676A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:38.206{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64923-false10.0.1.12-8000- 10341000x8000000000000000276403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:41.225{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000052940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:42.739{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C726014D9EAE433C6C964DF017B68C1,SHA256=6F7E515DF71AF2FF8F55DA4585D4962A3C457BF69E8B17F7261A9CE999CAFC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:42.594{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27DCDDD7B7D2181DED0ACF77567DEE5,SHA256=03C53CB716DD4D8203E1FC3B224C492E8FD5E9E1C597C39758C111EDF93CDC6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:39.411{F81F30E6-D97C-62DF-1000-000000006F02}448C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruea00:10e:0:0:9860:88a4:89ca:ffff-54314-truee000:fc:cb4c:8974:2430:8364:2428:49-5355llmnr 354300x8000000000000000276407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:39.409{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local59925- 23542300x8000000000000000276406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:42.241{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCF6ED26BE749B31905D386731385EC7,SHA256=8034D07A14E386C625027DC0D2F8D0C51123259A6B1C4ED5255CA2AB1D40B731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:43.833{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96DB699B1A7BCD76E5540FCBECC68A4,SHA256=AA789D76D8A7B39EAB0CCD65347C6F8E0D7A969147D2446E3E08BB8774A4856C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:43.742{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D290109B08AA02522F69B6BE7B8FCB52,SHA256=FF2530E57E0047F0BBCDF6DEA18AB22851A1CEBA810884F15892756863D10D9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:40.237{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64924-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000276410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:40.237{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64924-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 23542300x800000000000000052942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:44.927{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B85B217D83643F872D1F4A6A8C749F1,SHA256=7E6AC674C3D21A6474E5E3B3708D418543D6A4ADCC4B1129A9C4F3D77A46464B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:44.870{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C33E1A957798CACF89E6A8CA66BEE51,SHA256=D87C6443F54D04692E8199D4CD18577BC4F5437FB3F776846BD07E517C35691C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:45.958{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:45.907{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D498701CFFC4CE8FC29FA436F1B3B14C,SHA256=84CBFF70674698F437FF0D2E859DC39FEC68B47F07341DD85045E84CCE6B0BD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:44.248{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51001-false10.0.1.12-8000- 23542300x800000000000000052945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:46.020{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8996C8D2120A939C2E763E7FA7537025,SHA256=46ED6622E5A400A74A6D7291045307D23AB1E5BFA7520B31A13C0951BA4F8317,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000276417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:46.538{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:59:46.538 23542300x8000000000000000276416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:46.538{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000276415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:46.538{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\SiteSecurityServiceState-1.txt2022-07-26 13:59:46.538 354300x800000000000000052948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:46.014{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51002-false10.0.1.12-8089- 23542300x800000000000000052947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:47.286{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A4B00DAD7BBCA70258BD88D6A09C3612,SHA256=C3ECE805EA52F6250A8AA368FD209B69D388848412B4805616A74A558C1F3CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:47.005{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E9BCF4417EF3C42959054E661B8342,SHA256=6FC67BD62087047D154F030797A80A17B0FD754C65C5A1200A0F5B73BB305CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:44.118{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64925-false10.0.1.12-8000- 23542300x8000000000000000276418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:47.022{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4E96B88DDFCA1397360C68BCAF4704,SHA256=D0A066BB35E9B565A1AC4B618BC2AA5F5D41AA064B964E5C11D8EC9F40266D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:48.098{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A3BC3B44B692FB53637A31B23C5014,SHA256=9EA543527DA8690C76CF23BE2971338BA0DA7E4DA44A43AD3308AA097E8F7432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:48.952{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:48.068{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9463E9AAE1863FA0D7A2B4B13BF942,SHA256=00898D2506420AD9776B1BFE619C2526F1A54F43E7A2EEBF9BB2F5BB9C153BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:49.192{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760A67B574EF21FE99A916CFAF5945B0,SHA256=9254538F9E7B28992D5A43EA043D1B260226287BD4A8F729398B6CFE64B8C62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:49.104{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508B56FA4DEB358E0770FFF0A96ED1FF,SHA256=8D165F83907AB92CCBFDA21153F139D43E2A8C6E84E1D8F36A8F81D6FD2940CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:50.286{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A492903F6240576E1FDF01628C822EA7,SHA256=E7D383D9A9D87A005C77B4D50D610905308F40A36376F15A726D3373E70C4951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:47.947{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64926-false10.0.1.12-8089- 23542300x8000000000000000276423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:50.135{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF11B0C321AF5DA132932E6B5FA4A120,SHA256=064E553C93A4BD1CD9AACAA3B04C2F0821B016287017E0F9B379A26D7E4C7C9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:50.217{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51003-false10.0.1.12-8000- 23542300x800000000000000052952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:51.380{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DB43D0A30F83E0C3256F6FA03ED88A,SHA256=0E57C9FB112B67ACE71488F71FA38F480C8BEDABFAB0F8933D62FAC6F97F66C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:49.146{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64927-false10.0.1.12-8000- 23542300x8000000000000000276425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:51.251{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A962929F5366995A49F12B8DDE28A33C,SHA256=D33470E18E747A1AF98A01153AB6515AEEC2F394187547F16502305071942923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:52.473{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B6E88F1EDB49546FC7159285183698,SHA256=D38F79DEE9506BAC154F0A650B8E648342FE598E4A60A946C3E713E5A72616FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:52.349{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:52.349{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:52.302{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4BEA240B07E1400A7AE88F9110731B,SHA256=1303469F6E86AA16B21519061AB939242165F3F9FF1FEFAEFF7BC229160DE740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:53.567{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E2BC12603A4DAE310BB4961F6DC7C1,SHA256=387B3213CBE753784A93599C26C3F144FA24619BF292A72B9B64FA1208DCEA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:53.377{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2A64618348EE3A2948D6544FDFA749,SHA256=B20C7A0F9BD9FD503BB571196AD4C765CA2F135BB02196F87142E877C0EC5549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:53.034{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C6C0628114D155E34E4D1A148249FAB,SHA256=1405E4B07D9E5B7835BFFAD0AD99F09DA0623B16748308366D80429E854FE034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:54.661{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52970B2D9BE64860B4081835F2D20E6B,SHA256=ACC36E5C43BF9D527E9B95CECDF2FA97621983DBE44F3C9597D68D0C17EB19A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:54.402{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D63516C99D65541C69956887FD31EF2,SHA256=328BE24DA31BEE6B29F9AD6D3F975F2771DEF3328333519581DE7BC5FA13F7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:55.755{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C350F1185445334A2926813B5EA5B0,SHA256=5C8CC1CFB0CF9929E90C96E3D29FCD653D3AB056D467560D6B70D6E5DAB536D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:55.532{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:55.532{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:55.448{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F9183FB57EC556C683BDDC3613E20B,SHA256=5178BD9C7B37B90A67FFD2DF6A4259D5279389B11ECAC8CEE5EC03228FCCA2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:56.848{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233296C62E2FEC3DFF8935C8346756D2,SHA256=10F608780CC3AECF83D2D2C42CFAE90A8D8C62EA3E0736FF94F883AF0BF78630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:56.600{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E969AF4D6AA39D771C9CF6D1E7C1008A,SHA256=B917CEA0D8C0C4E513EBA8FA17EFCC7450B8211610D6D4B7377D7B2DBEED6E8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:54.016{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57781- 354300x8000000000000000276439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:54.016{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local57575- 10341000x8000000000000000276438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:56.416{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000276437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:56.416{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:56.416{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF65232c.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:57.942{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C91CE948116ABB3614952E4D155DA08,SHA256=10B7235378B4A2C9626143EA934D2FF983744FC551FEE97C54F6B958F04150F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:57.731{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B7AD32B462D625958124EF42704FDE,SHA256=D05E834E401485D594DA2303A784AF88BC8BA90ABD5335D5CA458AD71292BC16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:55.142{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64928-false10.0.1.12-8000- 10341000x8000000000000000276443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:57.362{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:57.362{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:58.980{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:58.979{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=0405409242890A04C9785CE24CDD9F71,SHA256=A731BE46B26522D9C09029164938AB146FD52158001C52985792385E6E030B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:58.646{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2772EB0ADD50F9D5618789F022A0D2B,SHA256=1AAE64AA564DEDA4BADADCC4BC5345667BD6CDABBB8DEDECBF813005ED2048C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000052960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:56.092{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51004-false10.0.1.12-8000- 23542300x8000000000000000276449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 13:59:59.661{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4849DF790656F2FCEB0F1424E3350BF,SHA256=56896675556FF2CC4468329D40A9FDF30868DBBF9E4624EB2368576134E43F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 13:59:59.036{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7693D83626224CB55581F2FED09D1210,SHA256=A5ED0C9564FFE44CDC907E51667F5008B9BDD18B1736D2DCFF8C62AD462FB816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:00.680{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC70248EA01F36E7F877C2E4B38020B,SHA256=C2BC79E4CD1318830C77951CB65D5676BD4B8B38E9BF98A804A6DAE177CD4F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:00.130{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75315D366036B153470A08E0DFD5A926,SHA256=B544D154A4DB7B6DD5D5F63BCA851EC27161AB06D67B9003DDB35503462BDCB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:01.731{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A5F746734D5D38B48988D76E40CBDC,SHA256=960232A86B5AD0C84D3B0C80DADFDE186EA74D6720E8DE69787EBAAAD20AFEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:01.223{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332784CCEA8CFD98701A04DAF6D46AA1,SHA256=96A8D8D1801CE7ECB1990E591F62D6C4D4317CB78A98DDEF851BFC9B24266F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:01.100{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=10313D48AE7BDEC56903CF452F048DF4,SHA256=D2116EC612DD14FEF171B00B7F5F85AB33241F360F21A55E0A83E373975466F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:02.317{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976F9355135E685D88BBB356280378CF,SHA256=FF176928731C25F9E1D95B817BB66A8225711FE1005BDB9A9D6D31BDE3B861CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:02.778{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CFEA7618A1D30B516BA89F888A439E,SHA256=BD0AE8C3C3024C0B77B799A27E65F860C5F294A44D0836827C9DC876E9BB3948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:02.314{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:02.314{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000052965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:03.411{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563D105E9F85A97DA1D92771B88EA4AF,SHA256=990C956164E434FC3CAED5166034971CF030BCE2EDAAC223685951AC7BA8CC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:03.828{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EF66B9E4F8E3278F9289218AFE8FFD,SHA256=77FD7DC3FE454A649E8D15D6F9EBC8C5DE2359CEB2CD0B65086B7B1106BB9795,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:00.173{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64929-false10.0.1.12-8000- 23542300x8000000000000000276456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:03.744{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D375816875DFBC3E5889BEFCC9731A93,SHA256=34E00DB8426F2A143B047A67971FE6DD4E1029528EB311693CD0476D73C62C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:04.505{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9327BB1A78A5AD6ED608A1C1D11679F,SHA256=F803CCCC76C7555F1ED2B0AD3EC704F5C711264E8E07368BCE43110A80F17056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:04.876{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89849ADC6A9971971C7DDF95E20214C,SHA256=8C0D2F865EE73C7D3362EE8F024DD8CC9BD54226808A5D8A9415009B41B19435,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:01.688{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64930-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:01.687{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64930-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x800000000000000052966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:02.123{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51005-false10.0.1.12-8000- 23542300x8000000000000000276462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:05.910{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6017D479CDADAE66F12993EE6F291B,SHA256=D33B7E6926D4ED27492CA60C6A3F53DCA452F60549812607D4FDAFBC7BA6A12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:05.598{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECB9AA421471FDFBF06971F9A02AE0A,SHA256=0C03CFB2277FB24248D5F1F40FCDD30A4F9D77AAC3109B4936B0B3A551F8C581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:06.941{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC91AAA8317DC564A6E2144E278162B,SHA256=15F7633E261BEC2123CDBF8228DF3F492697AB5CE106FE05D799A84398CFFDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:06.692{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADBDE08887951D50986994900FD2DB9,SHA256=3642D97F21CBF51D46A8662ABC15491030F76A5558758F07FF17EC5B0E9C60DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:07.993{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32A6C21093BD0B64CEE126D02D11745,SHA256=449CA5027238332E1B2C6FA65F84C1FF3ADD9F288F4564CFD12DF58DFD8589C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:07.786{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F007E6DDD942823B4DA21C220622F9A8,SHA256=250D5D45EC34050FADD6157619737BC4AC54B211CF7E76A670FD9B0A0F842B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:08.880{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760AF790666E16D0ED71638939DB04E1,SHA256=94F0431C9D3887A29D45363D5F2746416DF48F7A6EB9987CDB9378528C7FAA0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:06.083{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64931-false10.0.1.12-8000- 10341000x8000000000000000276466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:08.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:08.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000052971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:07.154{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51006-false10.0.1.12-8000- 23542300x800000000000000052973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:09.973{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86398BF3EBF9ECDFF277CAD51698A410,SHA256=EC6DD63A13FC3C7569191B40DD79349A1CFF4E9DFF201C1FD367A10309D0B53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:09.030{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66393C84FAD23A0C224AA245C7888EF,SHA256=5FC5DF6C6F7017A77733E65B6209EC56990F635D18D26C63A932F0FA4C926108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:10.181{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:10.181{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:10.060{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDBF2EEB659EBBC6EBD8FA1D39E3617,SHA256=B92AA1DBC540F706B1682B5325D007738E4694BFC7460C57EC9DDE3AADCE4BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000052974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:11.067{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348BEC769B80104D22889E8643A4CEE9,SHA256=38C32DA12B51F4B1A0B39A8B01400B8F15AA716AC3CC932F26BB6D35B0FB4108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:11.145{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30A22334788F7760EBFBC8D59682690,SHA256=C42A2F3033FBBA137FA7F01BC465DBFC3230FBD71B0A755B3A1FA59B2E266BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F36C-62DF-8003-000000007002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F36C-62DF-8003-000000007002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.848{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F36C-62DF-8003-000000007002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.849{53069400-F36C-62DF-8003-000000007002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000052989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.380{53069400-F36C-62DF-7F03-000000007002}36401548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F36C-62DF-7F03-000000007002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000052978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F36C-62DF-7F03-000000007002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000052977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F36C-62DF-7F03-000000007002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000052976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.177{53069400-F36C-62DF-7F03-000000007002}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000052975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.161{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BBB8BF3BEC45500A62AEC08A8B12A2,SHA256=2C6520FFD6657A010DDAA9EEB34D2517C8C78E5C0F771A177B1B72059120342A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:12.177{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EABC12AA96CBD21CAE6BED62B79900,SHA256=4F0570315AC6A9C998A61C4BFA614B68C3B829BD198247F2883C4CC8F4F04A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:12.187{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51007-false10.0.1.12-8000- 23542300x800000000000000053018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.552{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C17261BA0DB1E51F2948343CAB05960,SHA256=19DC7A01ECA9354FE74D4FC179FF8A5CDB3FDE1556EEE75B2F14EA67BBA554DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.552{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1D7450E928EA33148945FA59C621CA,SHA256=E60DBC9B14D7792D747D394F8723A0AE8F6CE3283DEDB243A4E8A30D518B38CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F36D-62DF-8103-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F36D-62DF-8103-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.520{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F36D-62DF-8103-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.521{53069400-F36D-62DF-8103-000000007002}492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000276475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:11.186{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64932-false10.0.1.12-8000- 23542300x8000000000000000276474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:13.332{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EC74A43C08F731996D1E626EAB4508,SHA256=537EECEE509B7801E0D147C35F4BCCB7A486042E79E68EDC9076B0528C262792,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:13.100{53069400-F36C-62DF-8003-000000007002}2552364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.942{53069400-F36E-62DF-8303-000000007002}13523716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F36E-62DF-8303-000000007002}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=751C004E126CD7DC6F6EE53468412B31,SHA256=AAAABD4212AE0045939FB4B61FBEFFF5DAC48170EDAF062D37C38AF668FAC391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F36E-62DF-8303-000000007002}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.692{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F36E-62DF-8303-000000007002}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.693{53069400-F36E-62DF-8303-000000007002}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:14.360{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EA9BB0751331A0D74F693B6AB5736B,SHA256=0AFC042DCAAEF59E45FFC49B1E918817379127843AB6A72ED9B9708494150EED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.395{53069400-F36E-62DF-8203-000000007002}35643604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F36E-62DF-8203-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F36E-62DF-8203-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.192{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F36E-62DF-8203-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:14.193{53069400-F36E-62DF-8203-000000007002}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.833{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD467BBEF780E460BE442C9C2C621D8,SHA256=023CED6DAD01D3E94FA4577A460655CE85E36084913A9DB5FA537969416570B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:15.505{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5740CFA757A6B24BD059B75B9A8880,SHA256=2D61A05D2FF6292A9C44166A774F0382775644F0726FB705DEC3883D29AEAB6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F36F-62DF-8503-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F36F-62DF-8503-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.692{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F36F-62DF-8503-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.693{53069400-F36F-62DF-8503-000000007002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F36F-62DF-8403-000000007002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F36F-62DF-8403-000000007002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.192{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F36F-62DF-8403-000000007002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:15.193{53069400-F36F-62DF-8403-000000007002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:16.911{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F893447320EEAE22F017BA4CF55E91D,SHA256=119369AD83B3AF2BC215C054252165965D9CE05616F1FCC35C81029F08D220C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:16.973{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D978-62DF-0100-000000006F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97d32|C:\Windows\system32\kerberos.DLL+7a118|C:\Windows\system32\kerberos.DLL+1454f|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+2d496|C:\Windows\system32\lsasrv.dll+32d29|C:\Windows\system32\lsasrv.dll+30677|C:\Windows\system32\lsasrv.dll+2f5b1|C:\Windows\system32\lsasrv.dll+176fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000276480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:16.873{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:16.873{F81F30E6-D97A-62DF-0B00-000000006F02}6407868C:\Windows\system32\lsass.exe{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:16.537{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F782C2CBBD12DA49AB92083BFA6DB5,SHA256=E79319AF869FF0ADE5FFB1D70FCF9A78E04F364EC189A4567B3B3A554D489A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:17.940{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D888F23BE41533FCFAD69A80E37CC5D5,SHA256=D01B2EEC2947EDA8EED37DCE686BFFE1EDEC89988327EC1F2FE8B06149A395AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:17.656{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D50112CBEDC89C149D16670A0E249B,SHA256=4C80F927F8057B4451C84BB14D51F32E4A17C00DAB9209F349E1E763E1A78425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:17.630{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=83676A4E9C9AAEF617BE09F156FFDDA0,SHA256=34B83720C40733D771E9EB2117246D4D17B5784053AA99D92160AFAE99FF261C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:18.702{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717BAE508F72E15A7E7D4800DE2659EA,SHA256=D276223F66F46588ED27530DB48B02A09781F74066277F6EE5D00CD135DB4CA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:17.248{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51008-false10.0.1.12-8000- 23542300x800000000000000053078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:18.005{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A27A06A3146486079BEEBBBD347F28,SHA256=F00E495D8FD03DC02742B4E3CB694134025060EF38A8C17BF7D06B0730543277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:19.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6F9465EA1D486260B03FDD7800F3E9,SHA256=3EA56EE0899092DBBBDC6DDCDB00814688A101E7C5084DB9C41D81E571CC3DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:19.586{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-107MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:19.098{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3D0470ECD0FFF4F6771D9518E007E0,SHA256=0CE8B5038A844F1CEFFBDEB665A405A1478EC591758227B0B3365F01CD0CD6E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:16.202{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64936-false10.0.1.12-8000- 354300x8000000000000000276490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:15.988{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64935-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000276489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:15.988{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64935-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local445microsoft-ds 354300x8000000000000000276488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:15.899{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64934-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:15.899{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64934-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:15.892{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64933-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:15.892{F81F30E6-D97C-62DF-1500-000000006F02}1228C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64933-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000276493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:20.870{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0249627C99D091EE42DEDB60EA007510,SHA256=3F3A5CC07F1D952D8A87B84EB15658D429B19EC94CB42F3F15BB8BA3CC1A01A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:20.589{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:20.166{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03F07CA3F984EE70E2A63DA33BD4B70C,SHA256=1B916761C82EA3080E93BD008E818D39792AA7371331BDF4A2C3D3865C3824A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:21.900{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1E3A05E18EDD4485AD3B623E1E5688,SHA256=EC6A02CFB3BE9773CA01396803D1E9762EE38FC2D55F0D604F0F4DDD5BB1CD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:21.244{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D07E94B37A58AC04DC1FCF3C5B4892,SHA256=81CA70F87F258C6E5C37A8F68BC6963FD9CF2ECFBA76718AD40C21A16CDA251C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:21.854{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:21.854{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:22.986{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008F77A8ACD1EEB68A6A8FB03C7FDBC0,SHA256=973F52E4EE9AC896365596E44CB565F0FF3B2486ED2A3AB43FAB8D7FE6A669F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:22.338{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4121E24A65B4C7C9D9C3E0BFA5008CCE,SHA256=48C50D2984834D163D0668EB10E134CC2EB7B9D7E1EC21784BB0D552F1D6931D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:23.432{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E4784FBA1370554CEB5C0775E99B9E,SHA256=80FB03EA0BCB0BADD059F0F8B8654420DDD47EA23F05742CA4B2BA565443BF2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:23.144{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51009-false10.0.1.12-8000- 23542300x800000000000000053087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:24.525{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120CFA14A2247347F3521D549FCF1D05,SHA256=08A29A1F00A4701B9C7370DADFB2C40F8EAF9F6AA2C1569C6E8AD56EDAA5668F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:24.016{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206FF5F972364BF7C04658761DC8ECF5,SHA256=7582F68CC956C86B23221B94F8821E194B717883DCA0484448244F6035F16030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:25.619{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41AAF124466AD5264CC3115AE12155C,SHA256=F4AB6B8DE933DE4A209D819B4430B13AE77C10261B4D2DD35B57BB3CCC3C9F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:25.053{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC725303B453EED46C5A9BF85B8FF92,SHA256=5EBF1DDE71A8401A2B48CFABA37B4F49402702CA27EA5C03A5A9FCD6AF497387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:22.228{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64937-false10.0.1.12-8000- 23542300x800000000000000053091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:26.713{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18ABFD577F09D6A8D6D4C973937E9C6F,SHA256=042F0A434B0649E1104F9492FF361541FE56D510FB21C6A150D2458DEFBDE7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:26.099{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992CE2004FAFDE63FA7DBABD70C24845,SHA256=B0E032A5C55843C42A2C0121559E4084DEC2AA1D7EB9F27E5EB6FC75B153CBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:26.010{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=132C13A26C88012231A22C349051506A,SHA256=2E7A48C196C39D22E18D92E1E68AA5B2795A88A4489D39F61F0B5DB4007F3705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:27.807{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2E1298A6B9FD87F1A715F104E3AA3B,SHA256=DBFB69CE4F9E273ED5241092FED8C4F3592ADA861038AEC8A14A636388D5EB65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:27.887{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65b59|C:\Program Files\Mozilla Firefox\xul.dll+e65e38|C:\Program Files\Mozilla Firefox\xul.dll+11f018b|C:\Program Files\Mozilla Firefox\xul.dll+e627c7|C:\Program Files\Mozilla Firefox\xul.dll+120a85d|C:\Program Files\Mozilla Firefox\xul.dll+ceede|C:\Program Files\Mozilla Firefox\xul.dll+c395d4|C:\Program Files\Mozilla Firefox\xul.dll+c3930b|C:\Program Files\Mozilla Firefox\xul.dll+1871229|C:\Program Files\Mozilla Firefox\xul.dll+1e41d6e|UNKNOWN(00000034CA763342) 23542300x8000000000000000276502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:27.130{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A257C37947E68E6323A79D2526CE6CD0,SHA256=0836DCE63D914DE2A4B42B5CCCCECAA15E2BFC1396E2A2D85170C08ACA4D8A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:28.900{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F27065A1A1C5174756E1C646DFED4C6,SHA256=2E3F259318C5C2ABF451D734A23E6A768EB7484B9956CA04610633431C2361C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:28.757{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26C2AAB1327650B5A73104E83B41E275,SHA256=0EB0A8CF89D81B415281B5D29E39374865FB6D2DA776F0E60BCDAB9E51A7D7C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:28.691{F81F30E6-DAB4-62DF-BF00-000000006F02}24643744C:\Program Files\Mozilla Firefox\firefox.exe{F81F30E6-EEA4-62DF-BF03-000000006F02}6544C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+267f0|C:\Program Files\Mozilla Firefox\xul.dll+e65274|C:\Program Files\Mozilla Firefox\xul.dll+e65767|C:\Program Files\Mozilla Firefox\xul.dll+85d545|C:\Program Files\Mozilla Firefox\xul.dll+8514da|C:\Program Files\Mozilla Firefox\xul.dll+1a006b3|C:\Program Files\Mozilla Firefox\xul.dll+17686da|C:\Program Files\Mozilla Firefox\xul.dll+1a277f4|C:\Program Files\Mozilla Firefox\xul.dll+9d832f|C:\Program Files\Mozilla Firefox\xul.dll+1f89e|C:\Program Files\Mozilla Firefox\xul.dll+186308|C:\Program Files\Mozilla Firefox\xul.dll+1852af|C:\Program Files\Mozilla Firefox\xul.dll+4446001|C:\Program Files\Mozilla Firefox\xul.dll+44b10b2|C:\Program Files\Mozilla Firefox\xul.dll+44b1edc|C:\Program Files\Mozilla Firefox\xul.dll+1f2e2a3|C:\Program Files\Mozilla Firefox\firefox.exe+19b7e|C:\Program Files\Mozilla Firefox\firefox.exe+27a48|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:28.172{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC34F38724F3BACC0732EC20F2A4E82,SHA256=0472D0C798FC90684A81D7B32695E4EAFEF8B32002C9C5E6F8196A4966EC9C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:29.994{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0D3776E3BB149125947F1F222A94C2,SHA256=87BDEC7E35BBEC6B403CDE6CF1AB72E3203148DB3CAA9DF430A31D0A89D8FCCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:29.308{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2F195F2A37B38BBB2CCFB6126554CF,SHA256=06670A7ABAE11B09FE875F1D45F0861EC78A52599E6DA684E1F2DC13AD749D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:30.340{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798EAC87906C01EA5D3D238D63D82835,SHA256=E1C4C07E2A6A8CF2EF58466A0DAF0155DE49230C712A669F94DA38E4F4B6A3B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:28.190{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51010-false10.0.1.12-8000- 23542300x8000000000000000276511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:31.406{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FCFFF967263EEBD17DA7E968FB6F2135,SHA256=D4B1BBB51B1E16F8A4DAACFC564805069AE79423000145004662EAD0B8B2051F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:31.390{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69C50BE9006EEA1E680C48ED967D0BC,SHA256=D63D6B35638E75C334F3B297143BF378C254BCE6DF161A74D1F99CE5C2A7B6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:31.088{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805CA61E1661FD483FDF5F750941E37F,SHA256=F7DE3B5D490656EE467801D36763AFA783A113DC93A4A998E2076ADC0192FE75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:28.127{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64938-false10.0.1.12-8000- 23542300x800000000000000053097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:32.182{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98221BDA9921B727E25815A56B7B460,SHA256=CC06B4FA7DC36792CEDDCCCE85510943C90A9A0AA7B4A1152E5CB4136ADD00C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.920{F81F30E6-F380-62DF-6604-000000006F02}73887912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.758{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F380-62DF-6604-000000006F02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.758{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.758{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.758{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.758{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.758{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F380-62DF-6604-000000006F02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.758{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F380-62DF-6604-000000006F02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.759{F81F30E6-F380-62DF-6604-000000006F02}7388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.405{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79608669ABBBD0DC9536B051759AAE30,SHA256=B875680593B43BFF67B2B292BE1153959407E04137DA23305E18F2D86589BC66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.390{F81F30E6-F380-62DF-6504-000000006F02}79447652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F380-62DF-6504-000000006F02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F380-62DF-6504-000000006F02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F380-62DF-6504-000000006F02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:32.206{F81F30E6-F380-62DF-6504-000000006F02}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:33.275{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D6608232DA3508EE39861B2FCB370B,SHA256=E58C7E7896DFE6B3A995F8B3DB99746C005AC59FCF1C705A6514E427BB13B0B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.809{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-107MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.421{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840EC5250E61442EB4E9AFF0E8C46616,SHA256=FCDDE7186AD0EC2B50304CA428BA00EA609519E651D164E5AA4BBE28FA44355B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.374{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F381-62DF-6704-000000006F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.374{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.374{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.374{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.374{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.374{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F381-62DF-6704-000000006F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.374{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F381-62DF-6704-000000006F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.375{F81F30E6-F381-62DF-6704-000000006F02}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:34.369{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC022E8EB98B09C8DD4A483DC705DBF5,SHA256=E2DC4790A8BC80C175D1561833EBFD2A125CA341299E523A40425F9ACF8709FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.809{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.793{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C091AA2A8D29E85C4D68570EF52E402,SHA256=645D4B3B3F9F387814475AD9390FC284AA25C424F0E95AFB7B4F79EACDACF3A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.576{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F382-62DF-6904-000000006F02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.576{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.576{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.576{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.576{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.576{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F382-62DF-6904-000000006F02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.576{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F382-62DF-6904-000000006F02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.577{F81F30E6-F382-62DF-6904-000000006F02}7212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.523{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC53C3F040D65DB0AD5A6359971149F,SHA256=1FFD22A8568152C7ECA804EA2427957A2F320F3B4ADD87BADDCA3B02EA946C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.441{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8911207933EF455A2D817491F17B0870,SHA256=F9FB6BE307AFA8E72360B2C95B750D5F25D5A479D8736320854F9E6830AD91ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:34.025{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3A08EBCB0134EC4833C0E0C68A086E2E,SHA256=F81FEADF4D7040A31BA55553B71D173EA80DE5A47EA1E68CEB5AF2D56CFCA5B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.245{F81F30E6-F382-62DF-6804-000000006F02}81767024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.060{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F382-62DF-6804-000000006F02}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.060{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.060{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.060{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.060{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.060{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F382-62DF-6804-000000006F02}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.060{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F382-62DF-6804-000000006F02}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:34.061{F81F30E6-F382-62DF-6804-000000006F02}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:35.478{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47578059DB255124483818AAE2E72426,SHA256=CBE848DB002496D7F7FA558F6BB5213510F9999B948979D5D7467A5898E17F9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.943{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F383-62DF-6B04-000000006F02}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.942{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.942{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.941{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.941{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.941{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F383-62DF-6B04-000000006F02}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.941{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F383-62DF-6B04-000000006F02}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.940{F81F30E6-F383-62DF-6B04-000000006F02}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.546{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491A5441F4E25F3B698DA3846CDFF1AD,SHA256=FF175B601163D98BE4C6DB12A5D902E6EBFC224AE1B7C3448692D75F9A86AEDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:33.222{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51011-false10.0.1.12-8000- 10341000x8000000000000000276570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.446{F81F30E6-F383-62DF-6A04-000000006F02}74927036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.262{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F383-62DF-6A04-000000006F02}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.262{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F383-62DF-6A04-000000006F02}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.262{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F383-62DF-6A04-000000006F02}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:35.263{F81F30E6-F383-62DF-6A04-000000006F02}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:36.572{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6985F61EF6B2C45EFCA911151DA7EA6,SHA256=4A538C0888F2BF432A091DA038BEE776600C866AB4E2202524419CB51DBC0A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.592{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF83EC345B37FF58D15C52DD3E27C56,SHA256=00C7D1191DC4FD64C40DC35C332E5E9C33BADE746774BAB038B4C3C3A97ACF61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.324{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.324{F81F30E6-D9BD-62DF-9000-000000006F02}46884712C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.324{F81F30E6-D9BD-62DF-9000-000000006F02}46884712C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.324{F81F30E6-D9BD-62DF-9000-000000006F02}46884712C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.245{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.245{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.245{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.245{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.245{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F384-62DF-6C04-000000006F02}7144C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.245{F81F30E6-D9BD-62DF-9000-000000006F02}46885128C:\Windows\Explorer.EXE{F81F30E6-F384-62DF-6C04-000000006F02}7144C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+6d01f|C:\Windows\System32\SHELL32.dll+e085e|C:\Windows\System32\SHELL32.dll+17acfc|C:\Windows\System32\SHELL32.dll+198148|C:\Windows\System32\SHELL32.dll+2844f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17afa0|C:\Windows\System32\SHELL32.dll+17837e|C:\Windows\System32\SHELL32.dll+605f1|C:\Windows\System32\SHELL32.dll+634d6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x8000000000000000276581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:36.244{F81F30E6-F384-62DF-6C04-000000006F02}7144C:\Program Files\Notepad++\notepad++.exe8.42Notepad++Notepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\bkdr_cmd_rep.cs"C:\Windows\system32\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=B4A060DE93BE7EBF6290554A863F1577,SHA256=BC1256E8D35C24431C53011153D7BFCB3453AEE2BC00EFAFE29E97ED4F39BA5B,IMPHASH=4481EEEB8D1E4D61D2BA670CE2825B57{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x8000000000000000276580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:33.171{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64939-false10.0.1.12-8000- 23542300x800000000000000053104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:37.666{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC776A369E58EA2C08C49C40E3F3355,SHA256=81F41B31F2816FE2AA2F9095AEDA5DE6FF3C06DCF6ECA45E2CB8D41184398BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:37.640{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EEA626DFD182E75F106CD2B267DAE8,SHA256=189713AF1ABC9A3AE65A3DEB50D2A075CECF9A95966EAE774B3CC22EAA766A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:38.760{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B67681B2ED0F394B6D77E864130C524,SHA256=7E8EF777BD978A2AA3A4F4E178216A192FCCDB2C4140E0D38420A91B423D1077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:38.690{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F1A680CDC2FEBCB789EBD61050617C,SHA256=712BB683BC0592139A00EEA78A91E3791BC5C0F9F14673D8573818340FDA192F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:39.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776511A988EE05AEB5C5643CCC6CD47C,SHA256=954E6A9F06F27442C9CCDCC50158C15B3A8B1C72C74ED715AABFF14C5E016670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:39.853{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721EE0A61667AB595A767F0F92AF84F6,SHA256=534B8344E6B69DF2A0B72D9C80D8E13646CB5C1835FC7CAEF6B9BF17C639C946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:40.957{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C0DF2E5D34CFDB2E58773C52B0BBB6,SHA256=2BCEB06886194E99B15FB44F453C6E203FC3C3135B82231A26CD22C9661CDC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:40.947{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3144F408F0268D7478EB82652668F3EA,SHA256=600EC2ED427B633A89E06EB95F4E1D1AB0AC436B8F29449152B96F00D4D7DC43,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:38.315{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51012-false10.0.1.12-8000- 354300x8000000000000000276601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:39.147{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64940-false10.0.1.12-8000- 23542300x8000000000000000276602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:42.087{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795D47BF6E82A4E9DCAA5C64B8A2B229,SHA256=3ACE51AB7B4F2A9023C767398D29B9BB6CD5A86B958F34716CBBAC1A01B65B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:42.041{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB305C41435009D3B8020204EED7211,SHA256=BA5512AB6D901F9144ECD584A8ACB90FCB76D918BB40D5EC39E273577FEAE7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:43.135{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D801621436896B7882D89B7C79954B9E,SHA256=1898367A222130A08C2FD7A6086888AEEEB1BF741AA7BB8CE4054FABD6D9BABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:43.135{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C499F9C2A865A5D0B85688D8A874BB,SHA256=31EEBDE17677FE1FA6900B49CD0106182DEA0B3EB6920E09DE7F668C40D59210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:44.170{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB930CB15FCB341B10C8A684C8743E3F,SHA256=37379904DEC74020B3FFCF0D9AC4F8DDE2EA6939A713788002B57BE198DB9E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:44.228{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72B9AA4D66DBD6203CB5B8119B962D5,SHA256=6EA0AA6F2E11DE678687C67D7355C848FC71B20CD8561D97F390E398DFC7EE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:45.978{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:44.237{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51013-false10.0.1.12-8000- 23542300x800000000000000053112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:45.322{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE625814A5516D600719186AE2F9880,SHA256=F37FCEAB48949CCDD3458D7EF530D45868146E514914F5D4C2B530CFA70F96E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:45.216{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1F427456D49EE4BAC60253DAFD2DAD,SHA256=E92D1C02018E9895C248FE7F0951A89FB434FB23200B7EBAC30DE346EB4741FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:46.900{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B398DDAE58FB229BD2A10E0A5701717E,SHA256=399DFEA6B344CEF2CF127620DBA56F4E2F75EBAD6FF79C76F9F24BB04DB8C80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:46.416{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528817F2A5A9D1A336B57C4CDCE88EB9,SHA256=ECEFA1FB471864FF1AA9EE3D5FD60938BEAF626DD6ED134870A7F9AC975DA68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.300{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD95B5D0AAA47CF25475F73A33A263B,SHA256=235986A72FA82E409745B2E03A6ABE14AAE40899845672AF02826367940D4D27,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000276610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:00:46.237{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\AA1F4EAC-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_AA1F4EAC-0000-0000-0000-100000000000.XML 13241300x8000000000000000276609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:00:46.237{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Config SourceDWORD (0x00000001) 13241300x8000000000000000276608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-SetValue2022-07-26 14:00:46.237{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_EDB59A4A-4A6E-4084-9A54-2EC7F36D7D11.XML 10341000x8000000000000000276607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.233{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.233{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:46.035{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51014-false10.0.1.12-8089- 23542300x800000000000000053117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:47.510{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C004811DF6CD0F1920185ED8B89F77A5,SHA256=51F1D9A67EFEC6D58F28A68DA23C14716FC61BBB3B3D04FE0997AC8CB3453158,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.915{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.915{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.915{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.336{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FDE653EE1647CC98807495D8ABC228,SHA256=E45FFA3CBAA77C71B6F2A05313900FC2EFCBBF6C901B4DE9CF3C42E3519CF20F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:45.262{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local63470- 354300x8000000000000000276617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:45.245{F81F30E6-D97C-62DF-0D00-000000006F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64942-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000276616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:45.245{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local64942-truefe80:0:0:0:513a:aaff:ea8e:f17win-dc-ctus-attack-range-502.attackrange.local135epmap 354300x8000000000000000276615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:45.164{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64941-false10.0.1.12-8000- 10341000x8000000000000000276614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.083{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.083{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.083{F81F30E6-D97A-62DF-0B00-000000006F02}6406704C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:48.603{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161C2E3036E736DD0758FD203C48BBEC,SHA256=56CB449AC4321C9993D5EBA9AD30CC8CBBCBAFA24881E837EEE3E489E42A1DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:48.982{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:48.383{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB635D256CE978F80B4BCA2CE94DAEE,SHA256=40B4E7D1670C5EFC742293FE17F9EA5B16EC28C6096BBD49510E984B851B5686,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.104{F81F30E6-D98A-62DF-2D00-000000006F02}2676C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local56369- 23542300x8000000000000000276627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:48.183{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=571F632F85B167945F1D4B048FF589DE,SHA256=FC310DEFDFF5BB82BEDBDD9C976B45C3D30A8F8B425F7E1CEB05F933B876C43F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.094{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64943-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.094{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64943-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 10341000x8000000000000000276624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:48.099{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:48.099{F81F30E6-D97A-62DF-0B00-000000006F02}640844C:\Windows\system32\lsass.exe{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ee3c|C:\Windows\system32\lsasrv.dll+e76d4|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:49.697{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A26F4CACF6692D141686B132DDDDB95,SHA256=EE5D930894A55F6FA9B2F5C0194EA2509CBEEB87B2140C667B870C6ECBC1EEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:49.398{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A317814C6FEA054987AEA5997CB4FC61,SHA256=2EBD511B6983E46CC067F7523F79BC19E2287512107B8F9AD36BC156C37998B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.926{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64944-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:46.926{F81F30E6-D98A-62DF-2A00-000000006F02}2640C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64944-false10.0.1.14win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x800000000000000053122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:50.791{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217AB0D963FB4F4C3D6446E92C4CC262,SHA256=C7B20212B67E8921497FF3C1CD07F8F6F9E45B9F134928DDE886675C9F236C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:50.450{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8614F9F80CCFC6517326BF783689D9,SHA256=2D4AA0D8F75A34395C6384C16AE7877E84BFB580501DAEA123401F32E8F1B6C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:47.978{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64945-false10.0.1.12-8089- 354300x800000000000000053121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:49.257{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51015-false10.0.1.12-8000- 23542300x800000000000000053123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:51.885{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AEDB011CE621F6E0DD117E53721BFB,SHA256=00EFFF4A7E494F77CA8AD8EF9CB2C87D13B53034B2B752B63900789EE20607B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:51.611{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9C791C7A8FDD3A68140185211541B9,SHA256=4DD80487E68A3FCBB921B1C045505107DFDF24EFB9A45CBF8DC49E62C45FF27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:52.978{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7C48326CBC7919E723A3011A9BADDD,SHA256=2DA5763ABF4A07C048BB117680121843C67CE94E7E0C0A8FEBF3BBA6EAD82598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:52.663{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5365EC8D80562F3FAF1CFF7C75A093,SHA256=6D28F3A2224993639FF690336FC8646DD6867283A8BA72BEFC6B48C5C028FD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:53.694{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254EB47CD997B896A65947592B279962,SHA256=CC2F99A5E342F347585ADE2AE539A8C82D3CBAE940CE93365F6C56C45CD89823,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:51.159{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64946-false10.0.1.12-8000- 23542300x8000000000000000276648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.745{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C3BFD074AA529014732F8248317432,SHA256=9954B916C376D97766880D61BEA0EAB48527EEF17E6F7EC7F77985781A910DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:54.072{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADAA78D8749A4959796A31CB4C4D9C9,SHA256=5C6874D7BA5E958D79651B41AA643152C1A5CB1949F6FFCE07098553FD31B770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.230{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.230{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.230{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.230{F81F30E6-D9BD-62DF-9000-000000006F02}46885772C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.225{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:54.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:55.791{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96232B6EAB6FE5B2F337D5BCA8BBCD8,SHA256=B87564AC7B87257AD75817174B35AA0D5665C19246FBE9F0DEF58C35ACD78A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:54.315{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51016-false10.0.1.12-8000- 23542300x800000000000000053126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:55.166{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4421C693882CBD6879D45DEA1EA3FF5E,SHA256=CFF22C76B497578F67901CA0EE35EBD74CD2153C693D0E23BB4E84F724858681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:56.943{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D65B6A771E0690A41ED1319D4356221,SHA256=A9B7F8AE2235FB2E67554A4E56037EF2F21A41D2B5534D1F29416CF171BCFD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:56.260{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477CDEF26B2936D0F36FE2016C136918,SHA256=E2B41063D48BF0252237DEFA450259A90E8C59D948B23966E92CAB187006C427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:57.353{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1807AED3708EDD0381429ABB4142367D,SHA256=9AB20BADD1DF84BE54F51AD0A7F0456BA5DB981E6F8915ED4BC3F1A651052344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:58.447{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CD861D728D1FF8185AB448286CA93E,SHA256=3773768054F9A60D0FAE4F2B2FEF155F11304C6B71150825B99DCDAF1834666B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:56.207{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64947-false10.0.1.12-8000- 23542300x8000000000000000276651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:58.065{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D525DF21DD4A8A72DD69C7F44A8B7C,SHA256=0CFB3AFA7D6EE5395A76FF2DE8003078D0D98B25EC3E0DFA7B3C9C7EB1BFF59E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:00:59.541{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FFCF31A2D6893D305A44158C322A45E,SHA256=1F49410C42927BA2041DD577EDC63B7522A5EF47EEDA0DE24C9CDB6C48BDD117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:00:59.111{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99B7E63FA84EF46E912DEA5CBBE8B88,SHA256=786020318CAE88AB0C82BECC6C13894DCDADB615F0EA8D4D050F43F2F12CBFB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:00.635{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C798ABF901EFCED58B11291EE2195521,SHA256=F648C40F7BD8C4BD40B58B99DACF1D6D3D95E5A7BAA0B998593B6615E6C5D016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:00.228{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4332A000B824F66C5C066072826CDE8,SHA256=18C495063BA849D50B74230F41C78402EBDF2631A4B5DAE874E920406CCC275D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:00.190{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51017-false10.0.1.12-8000- 23542300x800000000000000053133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:01.728{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05615618AD1FB0085AD6CC8A4716E3E0,SHA256=43B68985F2B56E195AF4A2ECDB4975C39B2FF969AAEA8E46FE56B0E33F2938A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:01.765{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=289E60A525719DCBFAC7C00C186015CD,SHA256=738CB9BE98388CD7D36059826A00254913F444C41BCCBD7C8744F41DC0130E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:01.232{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C619F0156ED8E3D9AADD3BA464DBEC,SHA256=7A3961C7AAA2C427A6EE6DD1729C46FD0FA25C7B33A9291C1F8EBCCCF16FF527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:02.822{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=329D1A167D7855218B9113D4FD574BFA,SHA256=4246BF7928E6F15096EF06C20EC1D1DE30A76FF78626DD6B7F02C7FCB7A5F156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:02.265{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BC7D48BFA1E7D6429B504743D31D17,SHA256=BCA89A02DFC0A0AD5281F07EC8D419391CA580AC05A381408FBFA6722A70D04E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:02.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:02.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:03.916{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E0B8665094EE05B5DBD1FDF1D837BC,SHA256=6688CFD9B540BCDCCF284A8BB43154F62CE3B6FE90BF80996D9E56D9FC0C62D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:03.748{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=681B0DC235AC30A7C0CBD626706C4748,SHA256=C0CEB5501EE9F5C56E2CB36F71EC3DB7CEF46CC7B0F4F70E502770CED249CD44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:01.223{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64948-false10.0.1.12-8000- 23542300x8000000000000000276660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:03.311{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0AD47520568062D1AA3554C1DD8E36,SHA256=E51F51110AE2979B789A46043A7B4EAD26561E645F1DDA2F8F7F9B46BD394BEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:01.708{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64949-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000276664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:01.708{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64949-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000276663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:04.447{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AF81E2F384555790250E41AFD61940,SHA256=382A4C47D393C4192E827338CD76D43E3C897657C6D75D5AFA30E9232AB8EDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:05.593{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5523475CB1A88871664556F15D2A0840,SHA256=BA0F99ECCD4B606FBEB076A22250D69894ED2E215C17C7B78291076007661D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:05.025{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2912EDDD32658F6F4FC8B8F22C442753,SHA256=B5FE85032C3A53034D76A287F84F4861959DDA5CCCD77EFECC538AB46CD806D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:06.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07935106BCADE63C85D600B881F332AB,SHA256=7FD7E5A6B2707442DA6C58FB9BE039AB014B56EEF0AAC5487F1ADC3939DBADFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:06.119{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A81FC85FD429F842BE5DA64F2A77719,SHA256=E98731415520EEA0992A0223B941E1E0CBAA76D8F31AE8DEDDFAFA87A77D4541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:07.631{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780D174F8C2E6EE8EF8899C13448E873,SHA256=1330F916C67E4B05BDCF4CB8899DC65C8F1C9478C6AEFC96A9CC5FD9634DB2C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:07.213{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA3B554838F35FEDB7EB2A7EFF6B04E,SHA256=2B5797E0E59E1F1E402BF8628527E7A4FE13123573A97A58C96F7F9228266B9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:05.268{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51018-false10.0.1.12-8000- 354300x8000000000000000276670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:06.260{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64950-false10.0.1.12-8000- 23542300x8000000000000000276669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:08.679{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D8C9C95019F6614551DB1EA3C947B1,SHA256=29525E339F000A38E312276281B247D3B14CFF347AE74F4173EBEA1E2B0392BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:08.306{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2468174455C6835CC221CE38922E27,SHA256=30717F8188B171690E20AE2128CFD39F9ACE572EF80C85004B715D51B14A39E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:09.727{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7919FD687BC00F09510DB54EDBD7D7D,SHA256=6E0BAD2568F413A26FEBF2372BCC79DA0DB369B8D704470D7781D673483F5270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:09.400{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108F0E0FB4F90F6DD3EF4E5BEBFF59E9,SHA256=1F1FF74D6D93B552E57E37F73A4403D3D1E5FF2724ED72358E2AF4C8EC740E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:10.809{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9392CEE242738E602AD21B8FD7F2F4,SHA256=8F3191E3CE82CB819A2E35A1C8A6D60CE0E80E14B810C21D7CCE092ABDD0E33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:10.494{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFFEA0FF3ADA166CEA26931A313F44F,SHA256=E21AE9122D2BAF6F60935A9C578B5C60E32FA4C9D0B678ED9E49581FB287532D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:10.378{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:10.378{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:10.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:10.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:11.825{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED70C7C398677A86BC35C082E9D956E,SHA256=B835066F96028C8CE87B564233FFCE787192EF92D21D290431E846461FBB44AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:11.588{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19CAD39349B83041FB6E884101ED353,SHA256=2C51C6E4A91489EAB89399C694CD85B75A792543FF63F975B0B0CE3783ED7F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:12.947{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A87B13792584B6F174935BCC92D5BF1,SHA256=D9AE4D03F69C4F62DA9ABCC3469B3E8FC76835AE6EC1B8F5BA898EF529FE0DAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3A8-62DF-8703-000000007002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F3A8-62DF-8703-000000007002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3A8-62DF-8703-000000007002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.838{53069400-F3A8-62DF-8703-000000007002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.682{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293BB4CA6E066EAE5EA440F958D6A1DA,SHA256=815BBF6CC8571C1A435486D66CF7DF9361149DD7E8B5B5AD38C63D6ADD3A3D5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.338{53069400-F3A8-62DF-8603-000000007002}28521704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3A8-62DF-8603-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3A8-62DF-8603-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.166{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3A8-62DF-8603-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:12.167{53069400-F3A8-62DF-8603-000000007002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:13.994{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0FB8BD1D3A9BD63F8330C230A38C8C,SHA256=98D416ACFDC739D48E21204E2DB7EB4A4CC461E44BE2590E1F9D70FE3A2270B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3A9-62DF-8803-000000007002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F3A9-62DF-8803-000000007002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.338{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3A9-62DF-8803-000000007002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.339{53069400-F3A9-62DF-8803-000000007002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:13.291{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=275FCF8241EC3B95E7961EFE41BF666D,SHA256=94B1B78BCEC918A694335BC7F957E20D69C932C06D1FB037F4634B5126414D0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:11.190{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51019-false10.0.1.12-8000- 354300x8000000000000000276680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:12.037{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64951-false10.0.1.12-8000- 10341000x800000000000000053216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.791{53069400-F3AA-62DF-8A03-000000007002}28481208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3AA-62DF-8A03-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F3AA-62DF-8A03-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.635{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3AA-62DF-8A03-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.636{53069400-F3AA-62DF-8A03-000000007002}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.181{53069400-F3AA-62DF-8903-000000007002}588356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BADE875471456925C269F9298877FD,SHA256=8708C6BD47CBA5684EA7418723036984CACFF82F29029292A28227781E70EC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3AA-62DF-8903-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F3AA-62DF-8903-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3AA-62DF-8903-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:14.010{53069400-F3AA-62DF-8903-000000007002}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:15.127{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E9941A3DB553F5985E985A72295450,SHA256=438E68FB54E8D7B285892DC654E230025ED01231CCF858AB548239D8DE27B36E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3AB-62DF-8C03-000000007002}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F3AB-62DF-8C03-000000007002}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3AB-62DF-8C03-000000007002}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.885{53069400-F3AB-62DF-8C03-000000007002}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.431{53069400-F3AB-62DF-8B03-000000007002}31001904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3AB-62DF-8B03-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F3AB-62DF-8B03-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3AB-62DF-8B03-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.264{53069400-F3AB-62DF-8B03-000000007002}3100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:15.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E171D38F16E13A33795AF42B8B3FCE,SHA256=60D8F336F0B589F9F10D4AB3DC87D4787EDCBADF16B46AF91D3E086042F52A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:16.510{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345B441FB34A27F8CF1204A7CA025FAF,SHA256=E0B201496E9F38C67FAAF2F2EB3170C95AA88324B4798EE9112A722018155E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:16.252{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F140FFD0D2C6645A86A7418A9AD56E,SHA256=90A5DC9AD01BE462ADD2394538A4A32E7291AA05264CB33E6C8778D19C3FE266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:17.635{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730A818577C9F56D4AAF0A7D921E5D24,SHA256=526F6777071CB03063038266AD18F399EA8E8C26AADBAD35E5CF0063BE41B059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:17.282{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11205950B49238346947CDB96D4446FE,SHA256=FAA7E1B74EEED9CC7DF282763687EAB6EAB41B8268037ACCFAFCAE67AC858E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:17.119{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EE5FF41F1B985924E4F013871921129A,SHA256=36F4045953D2B1E53098D781B6297D743BEFB3DA27658ADEE281F6D0A32AF433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:18.728{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FC349753DF79340BACD16F442273B8,SHA256=7680E2AA8798D3AE2047EF0B1F417FA019757BCD688A53E39B7366A3B83BC548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:18.430{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEC6FEF18FF623FC10A1D3CCE33D006,SHA256=5E6E5B1CED11758AF2C606D87217F2871D352DE57559EE020FD5E3FAF54FAD11,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:16.315{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51020-false10.0.1.12-8000- 23542300x800000000000000053250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:19.822{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859247E46C17972EB2F94B1BE605532C,SHA256=5DF72C45C9432A1550FAF67B026AB788324C1558595CE402C78E15B997AEDE62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:17.208{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64952-false10.0.1.12-8000- 23542300x8000000000000000276685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:19.480{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D985D2807592DCD315C19C1AE17C1FDD,SHA256=FADFC2D43EE8905C3DE7E31968224CF15E084B1040C015FFEDABBEA0F53527A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:20.917{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745AA2141E33A3C6A61162CD5A6A89BE,SHA256=9CF72A51D6DFFC0E0B134B4A1D512DC769CFEB59E8CC9FA504F863B45D2DF199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:20.528{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0D9E550BDBDB756BD1CEB6179AFF80,SHA256=AC2EA9D3A42CBBE8FC34A45001C02F57316CFA72A6D93A3DE6A5A0EA4F026BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:21.577{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00079D8E23FDD0E4966D72ABEA373D33,SHA256=FCED66A7CD464712CE9B858B3067C673274D9E0362B8C678E8DFBBF6E58B33D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:21.107{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-108MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:22.725{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB285A8465D8A28308F7006B49B12BE,SHA256=31CCAA70481F25C9FD0D8DDDAB2B8CDA98055CB7624F29584A00F45632F91FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:22.121{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:22.010{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22609742418548A7FD03407325BBA75,SHA256=769AEF105FE14F640D6C56F2C04DDD1111B1EA90A6133AEC9F80857F79FE7EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:23.859{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCC20DF9BF5FE239F55F297108C703F,SHA256=C43F4FC4AD07BF748E0AE9858E26067802E400BFADE9F9DF321741CCB4136AAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:22.113{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51021-false10.0.1.12-8000- 23542300x800000000000000053255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:23.105{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D191C3FEB5F15C6A46D238A0EEFBE75E,SHA256=E52934CE621756EF65B36A8E11E0C951AD79313D567729688DC5A461EDA73378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:24.980{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D043CC7BBCD8E915B39333466012F8A2,SHA256=94DBBDA3D8AB473E786E75BD979D42CCC95149752A25EF89E0044BCA54D6F3B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:22.256{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64953-false10.0.1.12-8000- 23542300x800000000000000053257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:24.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDF378C7E17D3E811027D49638E8C7B,SHA256=3AEBF7FB14AD35EFBCF22696DF6D83F28F53875573632D9309F23C67C2A28561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:24.781{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:25.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A70563CEC13C4B706604A8CC9755F1A,SHA256=15F495A214D0C94C34D9E4769BEDD180454C59BBC24173120711807426CB8B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:26.386{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD426426EC0300DC1FE5F194E5E7341F,SHA256=F9513EB094BDEE8FA4FEB331C3C5961856C1117A8E8E2A24E65018EC3154F19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:26.011{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12A5FC4B6C7EE7EBCFADB0AA748A763,SHA256=70061D7C325AACB3D3E3AC93DDD65BF92361763C3F24D6388471404BAEAC93B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:27.496{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D5ED2FE312AC4F94EEA48724CB1F8B,SHA256=7DB87CB28763B677254E85DB1741BBF544870AD16CE9C026B0711C0AE8A5D2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:27.110{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAB6BE8B841BD61D7A49BC4DF7CBA5C,SHA256=A86FF7AFE8391A0D9AB96F3C7D2212C08D1A404FC29210E5A54B81FAA0CD44F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:27.255{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51022-false10.0.1.12-8000- 23542300x800000000000000053261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:28.590{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19210640B31F33509FAA1510F7E7E44A,SHA256=0ED35B7D470AF76069D39BBE944066726CE2DA538D672667CD6C636BB2BA0FD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000276698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:28.462{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exeC:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat2022-07-26 14:01:28.462 23542300x8000000000000000276697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:28.462{F81F30E6-F163-62DF-1F04-000000006F02}2264ATTACKRANGE\AdministratorC:\Temp\dcrat.exeC:\Users\Administrator\AppData\Local\Temp\EmmQZMlqRJMD5=DFAAAADC3E46B0D987BB6B8244DF0555,SHA256=401FAEB69FD400CA1BB19F49B4AC220B12C07AF27F413203755CEF3B5E3281A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:28.162{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064202820238229C1FA10D3DC934775C,SHA256=EDCFA8E4ED3096F287B98D282A3EAEAFBFD5602212F6B30702774888F4587AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:29.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D1E51D6CBACE7023A41E21C761FC5F,SHA256=E4606D4EF5238CCD762AE3A9254E1D314EC5E6EDD276DFD85292EA928709BA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:29.208{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438573829EF604C30DACBE9C82637F22,SHA256=4D30130F93ED57EE687C109AFEF53FCEF872E9377B7D9454113B416E973622C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:30.777{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CEBF006CDE39585AECC22C1C05E5382,SHA256=555AB6A5585AC88A6C0C0E54B42A0DD7E79297ACBB6E94D6D26AD43312CD513D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:30.245{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C006FB63ACF6ACB0B7C290029491C77,SHA256=882D73B2A73E053701669CC1E2E6A5DE83777889AAF771AF2AAA4476F18A7BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:31.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05A2149A5EF5549701AA006F549750F,SHA256=1F2CE7A9F6DE7D518FD391D1FD2CB047D60DE0DDFBE0A3DACE141A2FFA4660F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:31.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EBDA77526EBC521A942AC483F35AF7,SHA256=81E87CC04639A3CFCE3C7B1074E16270874C2AD6DE84CF4ED08F36C3E19CB1E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:28.073{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64954-false10.0.1.12-8000- 23542300x8000000000000000276701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:31.091{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4BE563F41298CF12DFCF3542967775C1,SHA256=9A43B010686F9A1E623016192509B5D9A36897AE8B5EF12354F2CEFE11E50F46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:32.965{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF01AC0C845DCA24D3DF1230552C905A,SHA256=ECD0DA0FC19AF7038B0E2EE4741B18A0145AD923CCBCC05C1C0A41D231FF66B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.977{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.977{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.977{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.977{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.961{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.945{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.908{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.908{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.892{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BC-62DF-7104-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.878{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.878{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.878{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.878{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.878{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3BC-62DF-7104-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.878{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BC-62DF-7104-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.879{F81F30E6-F3BC-62DF-7104-000000006F02}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.830{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.830{F81F30E6-F3BC-62DF-6E04-000000006F02}69927624C:\Windows\system32\cmd.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.835{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000276741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3BC-62DF-7004-000000006F02}6880C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.809{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.809{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.809{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.809{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.793{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.793{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.793{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.793{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.793{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.777{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.777{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.777{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.777{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.777{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.777{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.777{F81F30E6-F3BC-62DF-6F04-000000006F02}41601852C:\Windows\system32\conhost.exe{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3BC-62DF-6F04-000000006F02}4160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-F163-62DF-1F04-000000006F02}22645632C:\Temp\dcrat.exe{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.765{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.762{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3BC-62DF-6E04-000000006F02}6992C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.391{F81F30E6-F3BC-62DF-6D04-000000006F02}62286520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.306{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F910BF9ED9C287754195FBF89E6CB14E,SHA256=8B89D824E9F9715BA70716E8B40A2085F57349D28D01EDED99A3D0381FD3C585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.227{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BC-62DF-6D04-000000006F02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.224{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.224{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.224{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.224{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.224{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3BC-62DF-6D04-000000006F02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.224{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BC-62DF-6D04-000000006F02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:32.222{F81F30E6-F3BC-62DF-6D04-000000006F02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.392{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BD-62DF-7204-000000006F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.392{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3BD-62DF-7204-000000006F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.392{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BD-62DF-7204-000000006F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.393{F81F30E6-F3BD-62DF-7204-000000006F02}6316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.328{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E3787A86FE910397DA9F280DE6A325,SHA256=CD9E89454EDF8CA91E2881C12C7F598DA76EE58340DDDFBD8D354EB67DB6B6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.326{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA12FF7C8C37149FE8C606C3565653E2,SHA256=C235C166F644051C4A6515372D78949C8717F933637A73C55025340E4F9C078D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:32.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51023-false10.0.1.12-8000- 23542300x8000000000000000276775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.177{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3A7115E6338237850DD1725B07E8C0,SHA256=49C986484EBC20B0D0C88D9C6E99FDF8606F88055A7E366E923EED93ADDE577C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:33.161{F81F30E6-F3BC-62DF-7104-000000006F02}66966816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.908{F81F30E6-F3BE-62DF-7404-000000006F02}79966460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.806{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3FAC3A866019FD861CC4358C6C16E423,SHA256=FEFC586F11F710B6B9DDD623347AF12E9E0608A732C28AE477110C70A20C7261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.743{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BE-62DF-7404-000000006F02}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.743{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.743{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.743{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.743{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.743{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3BE-62DF-7404-000000006F02}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.743{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BE-62DF-7404-000000006F02}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.744{F81F30E6-F3BE-62DF-7404-000000006F02}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000276830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.425{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.425{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2C00-000000006F02}2668C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9400-000000006F02}5104C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BE-62DF-9300-000000006F02}5000C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.424{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.423{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.422{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.422{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.422{F81F30E6-D97C-62DF-0D00-000000006F02}912932C:\Windows\system32\svchost.exe{F81F30E6-D9BD-62DF-9000-000000006F02}4688C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.375{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5BB9C537E910B947104027C55398F94,SHA256=516CBD4C2D526E4E142DAD508DA6EBDA327FCB59C882B3CBC9A2AF756E76B1AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:34.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442D829D334AC7B13308991556458B93,SHA256=34982F33574D126380B53E6B527D9FEF2656CEA63A0C90F46A92D1EE14FA1493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:34.027{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=271229B9025C6FA27295E57A0D1EDBC2,SHA256=2C40AACEF5AE061A76ED5104441EED0CC42B4A4E6D1E3ECFF8DEB084C9B68024,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.076{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BE-62DF-7304-000000006F02}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.076{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.076{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.076{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.076{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.076{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3BE-62DF-7304-000000006F02}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.076{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BE-62DF-7304-000000006F02}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.077{F81F30E6-F3BE-62DF-7304-000000006F02}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000276851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.691{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2902232CE9D365E98A45C6EAE573851,SHA256=7D92D040751A00B734CF012B2988C7B6C5155DABC7114FB6D2544384C8717360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.591{F81F30E6-F3BF-62DF-7504-000000006F02}65006896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.408{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:35.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436EA6607C38211854C04672CAF74C03,SHA256=0973402C0CCA60D3ED4DB075D2F6436E69E5620A9E305DECED80510F15FD0BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.348{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-108MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D75819FC72A5F1F7793651B829E1ADC,SHA256=541B42CB4447EA5B441C3D1034ACBE7510620F9CB3D8376A3588B792FA457642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.474{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8915943F61DD46D3D6BEAC42ABAA27FF,SHA256=99527D1C48CD8E88E3BF0B9E514B5A69B9DC635AADDFACD8E7ED08C52ABFB8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.360{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:37.340{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAE280C87914964F2E2A1901C0A3B3E,SHA256=B19CE1667BE1DFEB4F0554DAE590503B261F0C0F38E4F4109CD67FD75AB2DD56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.605{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14201F468DBA4C5E2342AE9C4C39ED1,SHA256=5C596C0BCA9E66458C0C33536F45418589C570D392177A990E4240ADA7541B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.087{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64955-false10.0.1.12-8000- 23542300x8000000000000000276872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:38.642{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2834AF453B6590889F3CF2E6F2A11150,SHA256=B2E4719CE0A66FE37A2B1DDB8873E2D4D964C9CF3835221762060F92B7AA2900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:38.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A87E2BDA7813CE6343CBD844DA3564,SHA256=6BC2A88916BA8E2B5CF871434B4B2AFFF3A52F78EF8DD42F6F2ED457C0DA158E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:39.527{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DB2128A1FF3567C5A8AEABD4A5BCDE,SHA256=7C60D95E653C8BF776E673FAD1301AB78A0FB8730F3AADD0B8BEDFD851301E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.985{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.985{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.943{F81F30E6-F3C3-62DF-8704-000000006F02}81362408C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-F3C3-62DF-7E04-000000006F02}69884576C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.932{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-F163-62DF-1F04-000000006F02}22646864C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.901{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-F3C3-62DF-7B04-000000006F02}77842404C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.882{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-F3C3-62DF-8404-000000006F02}73963224C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-F163-62DF-1F04-000000006F02}22644128C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.862{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.842{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-F3C3-62DF-8204-000000006F02}8040436C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.822{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.822{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-F163-62DF-1F04-000000006F02}22647084C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.795{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-F3C3-62DF-7F04-000000006F02}42526716C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.724{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-F3C3-62DF-7904-000000006F02}74566672C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000276957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-F163-62DF-1F04-000000006F02}22644664C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.712{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-F3C3-62DF-7704-000000006F02}48086368C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.697{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000276932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-F3C3-62DF-7C04-000000006F02}62724240C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-F163-62DF-1F04-000000006F02}2264536C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.674{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-F3C3-62DF-7A04-000000006F02}11524952C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-F163-62DF-1F04-000000006F02}22644804C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.638{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-F3C3-62DF-7804-000000006F02}41166396C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.604{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.604{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-F163-62DF-1F04-000000006F02}22641576C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.601{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:37.286{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51024-false10.0.1.12-8000- 23542300x800000000000000053279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:40.621{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2514B8937F8A2C82A01472ECC2A570BC,SHA256=153DCF9013834F3E7D39790BBE1A7747FE8D037946C747DC267951FBD1B98CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.727{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7DF994EC3E80261AC2A1F5BEBA1986,SHA256=AC99A09CAD4A316A5DEF878F3811BCEB139CA4796015DFC9177730D82CEEAAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.643{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9977CE023B7A6B32BEA6374AA6BF6ACF,SHA256=E1D947DA954435FD2DEBCFBF555ED4F3C7B4989650A96B53896D78007C27F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.643{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028341CDFD6DD76ED7EFFD38B58FD10A,SHA256=C621F27787B5B40744FEE9A167B333164A0ED33D1170C03DE718F97D1865CF67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.574{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23349B59B789BFACC43446BE0713F1B,SHA256=FF72A52A87F61E963233B30CEFC23FED3DB9397FD772CCFC3D9E859CA2F2C0D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.505{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.458{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.421{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.405{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.405{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-F3C4-62DF-8904-000000006F02}41648112C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.398{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-F3C3-62DF-8604-000000006F02}19247832C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.364{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.326{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.326{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.323{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB24BC7956B7CCA04D1F8AFD5E6CEECE,SHA256=F53D431F43CA879A20FC74F0A36625B65FA29AB627CCB5128FE5D0BBB8211F39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.259{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.259{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-F3C3-62DF-8304-000000006F02}40725480C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.228{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.225{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.127{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.127{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.124{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.124{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.123{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.123{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB73A999A580F33212303ABE7845EE9,SHA256=66FE90707F53363E825D80658AC77A2ADCFD8F270829AD7A702C234C7482F118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983FEEAB3BB369870DC33052D478EF11,SHA256=1083874963DF99C9A4D993C3FB5D59A11366F85CF079B401067244D071DB2A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-F3C3-62DF-8104-000000006F02}78524020C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.075{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66826BAFC88C8D468840BBA793B9FAF3,SHA256=FA8AAEC9158A2614DCF845C155AC7AB9C2310D639227780FA132ECCEC6B142C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-F3C4-62DF-8A04-000000006F02}80287972C:\Windows\system32\conhost.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.026{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-F163-62DF-1F04-000000006F02}22648128C:\Temp\dcrat.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.007{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:41.715{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1773ED5F1B0358AF42902AA9539DA7,SHA256=32095D5F29398D811EBE67EFA7B6EAD18293F6C8A7BE1CC39462169D6B93C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.773{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E9FB544CE84846B158C08381CA80A7,SHA256=079A3159870E14ED2268DED2EDEB2C1DCB2811F20C2A9A1936895E281C7E5D52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:42.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C33AF63AF418F85BC20F03F2B218BC8,SHA256=328479A83200E31168DF136A53F36276F329BA34903FE134703F86707ABCB4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:42.825{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC47F653D861F7A9AA5F18B810A3C8,SHA256=36E06C10DA0C428A34D961CADF11DC3CBEE3A29138F2694B0CEB79DCB3586D53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.186{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64956-false10.0.1.12-8000- 23542300x800000000000000053282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:43.902{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C13D59989746AD2BFBB216E8B0FE11,SHA256=C7F51C4BF92BD8853A63B1F36E6D45FF77785C67E8D2EEE9A0EC91F109C13724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.944{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED2A210D8B5061AFFD8000AB9A589C8,SHA256=E719A3CCA336591FF973857E3A929EC8B83A7FA034488B7A2A3531F6C516B1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:44.996{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C865C710AD8BD228A25807BD69C22DA0,SHA256=BEDC9C70686A53A793056C899E46EE528B15D0FF4E400DDF9E77F5B75232A107,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:42.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51025-false10.0.1.12-8000- 10341000x8000000000000000277344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-F3C8-62DF-8F04-000000006F02}66281068C:\Windows\system32\cmd.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.663{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.625{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-F3C8-62DF-9004-000000006F02}80927828C:\Windows\system32\conhost.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-F163-62DF-1F04-000000006F02}22648164C:\Temp\dcrat.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.608{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.674{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34AB882CF35614A72C7836F1FCF1EE3A,SHA256=0B57A41614863CC7FEBD27CB5AF2A37B122A2C353CFF9186C81AD6195580C0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.259{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B20692087D9FA411651976186509A6B,SHA256=505EFBE5401571905E3A074E086DD123AD3FFC254FC8497C2B5BA918A53F08C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.259{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6BF11DFD7D6611E1ED5D637E9E3236,SHA256=89964AE4554933E4B760C848D2B877B88DB55CD7ACD6ECA80A634B342FCAACE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:46.090{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46659E21F8827006162F94F263E7A34,SHA256=0D95FBD14E179EC51F53822AD3A91831BB7D74946BECFCD08836A7C6341255F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:45.996{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:46.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512DAECBA5192F5A4350669B51066F69,SHA256=2CB12DCB6ECB53E2B1E296759C22E530F66BDC1AD6727C95AA9371A728620DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:46.052{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51026-false10.0.1.12-8089- 23542300x800000000000000053288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:47.340{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2071E6273FC109C8C495EDD4283C4369,SHA256=9BC5D9DD6450B71AB6470BF09E93691936378DDDC2C48E3B3C0BA6F8F51A9BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:47.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6EA0ECF4D53638C924A6B4644C1097,SHA256=8BC14896D1AD7D53BA1D09DBD9A5470DFE846D76844720441A8D6BACB4ED8CD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.391{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C912A7AFD93EBF090CBE4250E5251FE7,SHA256=98D847DFB5F6352F5C9DD9C130AACE944419068C495EA5E95D0B295FDCB98D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.132{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64957-false10.0.1.12-8000- 23542300x800000000000000053290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:48.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CCE370BEA71EE31C35F999823F77C1,SHA256=8EB0474E92F9810A84B743B36BCB4148776AC959CA228295B7366C204C49E82A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-F163-62DF-1F04-000000006F02}22647940C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.962{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-F3CC-62DF-A604-000000006F02}70366612C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.959{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-F3CC-62DF-B504-000000006F02}33368008C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.924{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-F163-62DF-1F04-000000006F02}22642984C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.917{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-F3CC-62DF-A404-000000006F02}58446448C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.913{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-F3CC-62DF-B204-000000006F02}72287548C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.861{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-F163-62DF-1F04-000000006F02}22647380C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.854{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000277731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA76DF692EC20E0ABA2980461D17591F,SHA256=2E6B0430243768ADA0BDFF8392DBCEADE7001EE4090131BF5F288F9930C7035A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-F3CC-62DF-A104-000000006F02}58927184C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.835{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.828{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.828{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.824{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-F3CC-62DF-AF04-000000006F02}78487764C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.793{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-F163-62DF-1F04-000000006F02}22643008C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.765{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000277703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B820CB67CC37F073FB8D59F1B95E3CCE,SHA256=17BD34BC0F7EAEE13F39FAF0F55FFD41E898199BD6242FD80C699CD32A1AE2B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-F3CC-62DF-AC04-000000006F02}75722816C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.729{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-F3CC-62DF-9F04-000000006F02}78921696C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.718{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-F163-62DF-1F04-000000006F02}22646620C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.710{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.677{F81F30E6-F3CC-62DF-AA04-000000006F02}35325244C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.662{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.624{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-F163-62DF-1F04-000000006F02}22646824C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.609{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-F3CC-62DF-9C04-000000006F02}73326812C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.600{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-F3CC-62DF-A704-000000006F02}47206860C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9DE6FFFE9BDE37D7DF413B341B9BC8,SHA256=6B43878FCD36972407C346B7BC058B8C0D96DA38C6B06F4731239BB5D0305047,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-F163-62DF-1F04-000000006F02}22641928C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-F3CC-62DF-A504-000000006F02}10647560C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.459{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.459{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098479A0AACB0B2432AB623C079D5E87,SHA256=2B3C42775236097441AC7B9E51A50A4055FF7C58ED7BE12BD314797DBB140B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-F163-62DF-1F04-000000006F02}22646720C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.439{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.425{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-F3CC-62DF-9904-000000006F02}68287008C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.424{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.424{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-F3CC-62DF-A204-000000006F02}43005732C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-F163-62DF-1F04-000000006F02}22645436C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.398{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.359{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.359{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.343{F81F30E6-F3CC-62DF-A004-000000006F02}79447912C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.328{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.326{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.325{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.325{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.323{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.323{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.322{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-F163-62DF-1F04-000000006F02}22644884C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.319{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-F3CC-62DF-9704-000000006F02}28522872C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.284{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-F3CC-62DF-9D04-000000006F02}78762540C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.259{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.259{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-F163-62DF-1F04-000000006F02}22645136C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.257{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 354300x8000000000000000277476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.609{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local138netbios-dgm 354300x8000000000000000277475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.609{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000277474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D8AF32550175F831EB7818FC6A9E5E,SHA256=70D2F0E6E7E56CD5C371D62B6D9BF1B4089B879F00936BB0425D9A7CCB6E35B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-F3CC-62DF-9B04-000000006F02}11324524C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-F163-62DF-1F04-000000006F02}22647188C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-F3CC-62DF-9404-000000006F02}49486928C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.207{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 154100x8000000000000000277437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.207{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-F3CC-62DF-9804-000000006F02}12407176C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-F163-62DF-1F04-000000006F02}22646168C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.150{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-F3CC-62DF-9204-000000006F02}72608036C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.142{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.124{F81F30E6-F3CC-62DF-9504-000000006F02}65563716C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-F163-62DF-1F04-000000006F02}22644360C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.094{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-F3CC-62DF-9304-000000006F02}72686012C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-F163-62DF-1F04-000000006F02}22647452C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.047{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:48.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51027-false10.0.1.12-8000- 23542300x800000000000000053291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:49.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A3CAD071F089662574C3E2DB026D19,SHA256=547D10F0034AE7B8D0E0F73227383EA89D96226BA3C63808C4EDF72F6273B797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEDBD48FF45B48D02AA079DFA954790,SHA256=19379134F146547C8954AE6468C17B27DC83713D528C656CBD72B3E0B60F17D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.626{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.625{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.625{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.624{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.592{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0514714657D0239DC68CD41FC60D483F,SHA256=365FC7C50EBD58428D25DB0AFD9F0360E5CC7B9FAB76ED3318106AD8B3218BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.508{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.508{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.477{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.477{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.461{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE6A41A68B19C87F232848D676B2BB3,SHA256=7D7F099264BA409C6912CACD28A7C06115527D929CAD720F74A35D6BFFCC526F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.429{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.429{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.426{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.425{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.425{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.424{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-F3CD-62DF-B904-000000006F02}8068292C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.402{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-F3CC-62DF-B704-000000006F02}65605284C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.352{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-F3CC-62DF-B404-000000006F02}80206100C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.311{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.293{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E9E028E1473A5F2EF71BB6D204E0E8,SHA256=7CC4BDF43BBA877EA2608582F4D46BE53BD7DD6DB824940A9EB436DC1EC6C459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.293{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-F3CC-62DF-B104-000000006F02}61603680C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.263{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.230{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.230{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.229{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-F3CC-62DF-AE04-000000006F02}57163196C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.210{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17013CD9505F500B03AC7A9F6C572C9,SHA256=CEA2E44B02A4A3183C2CA980F4F343F800C51785E41598D60EF19D72930B64AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-F3CC-62DF-AB04-000000006F02}71162544C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.148{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.108{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.108{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.077{F81F30E6-F3CD-62DF-BA04-000000006F02}47485292C:\Windows\system32\conhost.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332E3240FBD5B3E73CE85D1D01A1EE3E,SHA256=01AA95D2D301D73706FEF22C7F54CBE5B5AA1F9EF5E277802F14E14B043F826E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-F3CC-62DF-A904-000000006F02}43166604C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.061{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-F163-62DF-1F04-000000006F02}22646308C:\Temp\dcrat.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.053{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000277833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.024{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.024{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-F3CC-62DF-B804-000000006F02}65207656C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:50.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3E5DB47EDBD62BD6E00DA26BB59FC4,SHA256=7C55B0F1252ABE8A5C147534ECBA95FBC6935CF690D576AC20FF4C02D3415FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.544{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A078EC301729A89F3262E3F37616D8,SHA256=A25BDDDE3EECDE4AEB5D630BA7A31D945FE862966A47648619DE5B89EAEA44D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.005{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64958-false10.0.1.12-8089- 10341000x8000000000000000278109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.326{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.325{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.325{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:51.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9006276A851E7C83A3BD26F1AFB619,SHA256=656237587244320087FA0D4602EC64BFD1EF70BE7E41BC4C133A3720F06C7F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:51.644{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5775AFC281C79AC34EE3F3FD5B8A54D1,SHA256=B1126DE326017D64AAC61CC7E161F4457D0DCDD595D2B776B50B49BBB5E19173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:52.558{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710A6E0B8E8D1436B94BFB6DE1F68FF0,SHA256=5AF01894F8403016877DCE48AEB7A67F4C6D9580029F4CB5E972BA5319AB3BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:52.783{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CE06839FE9C0E228E321BAA6D366B4,SHA256=9E1A1B2DA5C9E3D756BD6E215A3B783F6F02BB61D2161CF8DBAFE77E219AA4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:53.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D933B005FC6E19B3F44D6BE7CEFA7844,SHA256=7E97A369A83A009DF105D010F56ECB22CAB8F5C635466C5B0B1F243BB95216CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.881{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E86C3C000BA017AEF4F97FB9B3F80D,SHA256=3470F872B119CBF81E5761A47C8F4A9C683FCA33B5EC13078D0F86F237722986,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:51.037{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64959-false10.0.1.12-8000- 10341000x8000000000000000278115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:54.746{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B405D6364241CFCE252BA46A1B0A272E,SHA256=91476BA5BF17284D213619D4DB9B5AB762D72018EDEFAE08C587217D6634CD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:55.840{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E893732A2AB76C83DAA676938E75869,SHA256=CD4AB21ED636E11099850B5044006A152DDD44675600B53A91A36846972ED0FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:54.223{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51028-false10.0.1.12-8000- 23542300x8000000000000000278118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:55.012{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD703DD830F6C0F611526E355966BFC1,SHA256=DD07873AD3FCF7A0748F5BFF01FB30A1482DFDA6B06AB3488F908716E0D445CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:56.933{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C9FE0E32F33D7AADC72E2667C7FF8F,SHA256=102479084683AEAFE9BF1F5426A0567EBE6F183DCEC0839A340DE6B3DEDDF855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000278122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF66f80b.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.428{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=584D5F96DD30DE58A1219FCA89FB4F11,SHA256=C76D157142E28131F3FCF81F97167A99DB85FC8DCE313BF3DFA6DF27013F34AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4462653B8BACDAAE25F56F244D27ED22,SHA256=33BCCD9B0C754F6EF0A85F8D77889294B7ACC7C643428E8C71234E2273997E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:57.394{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=7B37D23C0EAC1D88C8C34B5BC6480FC5,SHA256=4FE4DCBB4B89D722AEC92CB2C236ECA859B1606C9D7733E9AC2324F5362B1D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:57.094{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B699782792EA2C1F8C7D2013141847,SHA256=7A261A24BFBD92F40C15CBB279702673282921596899991B9D68E8B342D9BF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:58.027{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86B11960781BD51D180E1BD7A069C67,SHA256=52FAE7780C75FFF910731AAAC92C5ACB8B1663242F0E7CC112868C87BEB46653,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.041{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64960-false10.0.1.12-8000- 23542300x8000000000000000278126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:58.193{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E4E251130618496B5EFBD5FC7031F7,SHA256=CC527006979D73C5E7C87A608EF2B27DB8DBAD764AC2928EB021265CD96A6130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:59.121{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD0C39DB1939809CA52E9A3D8399320,SHA256=D9186155C31A2E68F4155EDADD60F1180239E88B82F0CDA11E7293C6A238298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:59.226{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94592D9E50DDA311F7BCB26DC4875746,SHA256=D9A8112DA4B066913247B87DD074F07DAB4921106893837292464AF6C733BB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:00.325{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E5ADA1085CDCD240531DDF83076C82,SHA256=1D6E431CFF2856424D2CEB2F0E6C18B56139D8F0DE59DE1D01D7167A03232F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:00.215{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C56CCFE8FDB9211862A24A530614457,SHA256=B8C5CC470AC6DF9FBCE5BBE09CB2DEFF9A61B326F965BCC3AB59658C2ED59917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8427640B4DF5D0F9F8623C7595A7277,SHA256=FE7A34B42E41947270C84BDD39CD7AF3C958B051FB6202A2D5BF68DC4FD46161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.345{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6A929628F37CF38CC47CBE83CD06FB7A,SHA256=91F5D2B73795D0B93AE7C4934BEF5D8539BA75A3EC90EB6B87780016EA8023AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:00.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51029-false10.0.1.12-8000- 23542300x800000000000000053304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:01.308{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78A83400F4D4AB2829175B479FD7E7E,SHA256=7DB0691793FDEBCF0ACE32CE2A21CA505786050DEA39D026E4F8571AF831D50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:02.475{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC805D9C96042720F80B373AD43C9415,SHA256=BE4AED077D8F30D673CB0036B7D04E4C19376E0E5BB32FE3B95757412D97A4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:02.402{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADB2D434C86DC17696C68CCCF5A5506,SHA256=11C4157E1D267009163DBEC952BE16E5DFC539788FE6C0C440B4D1B25FE6ADCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:03.496{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EA8EC6CB640CE9CAD35287D44F3350,SHA256=BC044935040C24159B2FF213C2DE97D1AC4D4033556181BB3AEB0629FEA47462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:03.777{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11C276117F01579D623CD5C42AB79E1E,SHA256=09AA8B6E24D4207392933C09333FE951E6514C33AA927490DC40DC1C2E177018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:03.606{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B871CC8300220085B9FFCD91127B6E,SHA256=5AF8B99548D58BD46236D0BAA635C7894587ADDEB2EB42A5FBF12366F763084C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.219{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64961-false10.0.1.12-8000- 23542300x800000000000000053308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:04.590{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F0C789915DC3977DF50E9269C15945,SHA256=E65744B6F54C091EDF42DB59D208832A3FCDDB6F53B2058F7C08909439452A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.718{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64962-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000278137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.718{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64962-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000278136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:04.594{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DA17D6BDEBB421C691F80078F37BAC,SHA256=A0F3B4D6C2C6A258D4B1B650D3774FE4F8CF6EB81F7DBDE943D77AE412F6D0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:05.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C162010F3C067A6BB7F1520DAFE29D,SHA256=9D05FF6FCAB97BE81C61470EE63FFDEB3BCF6182D03FDE166B390F73A1A53A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:05.626{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF2F3D5FF4EB3AF0BCA2BE1C4744AF7,SHA256=9580218DE68354E1AB117E28612818BDE35FE09450682D91A8F21872035FA12A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:06.777{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCBB94D5405A32487B5B8E1449A0651,SHA256=FE41259BDB5A4327892E10618AA2E68B652F6513E0C8591E6A46B94BF2C8144B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:06.668{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50253AD917B03DE9077948B9377CAC17,SHA256=31FE634510DDBC1D8B55131EF054995EE55654BBC8B61B93364497996B892E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:07.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604320F66E474F70DFDE6CFE7F7C6C90,SHA256=A88DD06601B276C384C4D601626473C06189B872EA55663A8D834FEFB053B581,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:06.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51030-false10.0.1.12-8000- 23542300x8000000000000000278141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:07.713{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF6F8D09F787DD5C71B7006D0DAC6C0,SHA256=D4ECD4CB1E8C1FBBC189404CBDFA4B22AE4A8B626198E36B78FB41863A744F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:08.965{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F217C28C2BC06B625249B228610A1B,SHA256=EC4EC8218E4529690AF1925D0ACB730CAC9DC499B4FF7662BCC85A2281B8EE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.839{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC04A56DB2499CAEB762B6FE98A4790D,SHA256=EC4D79EAAC77405AD296CDDBED7BF4DE2A1AD888825FE6A1EE0750A223CC0D1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:09.974{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D538CFA391D05A4EE7ED3AE667579F07,SHA256=85C8CB0CD2D9F7C199F0EBAAF8C30E007BA5C73CD6284018A89E9D34D7A9ABED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:07.215{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64963-false10.0.1.12-8000- 23542300x800000000000000053314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:10.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C527A1D5E78A4843E5EBED76A9F552FC,SHA256=1CD8BC12D1677EF16459CDF10FCA2FA79094D0690A245BBA1A0D533563A44E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:11.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC27A3F9F5FD58046051FB1C2B4BD402,SHA256=B4EB1CD6144B20182EA995C1B189D90DDC2CDF3DBF79691A7FED4F2EB6F6FD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:11.020{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BE293AAD0717F58C3C2EE9AC84D245,SHA256=EACF7CADA51F1523B3309A8A102838A717866F031FD1C55775D56CB2EEA637C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.918{53069400-F3E4-62DF-8E03-000000007002}10524028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.747{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.371{53069400-F3E4-62DF-8D03-000000007002}656288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AFB8970FAF4FF231A9EAEA546A8F27,SHA256=0EC1E217BECDEAA5A152C979CA56DB589C2BA5A694D22C1CA84574090757865D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.184{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:12.056{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6740A9C99DB25043E6A115649125F0E8,SHA256=EE5D143D37DF958AA42EFC9BB55C333E4579EE4D1596ACF5E9ADCB0D73391AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.872{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C07FEBB43CA1C2B5A7DE725776B1F3,SHA256=C851584E7FB3F8A1539E1D2CDCDA30AF4BDD1D68E7F69A5EBC245AEEC70384FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:13.101{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD7833826DC849FEF00A1253DF3799,SHA256=B84E105850F87A7D3C67A4BAFC651CD804CBEC017C03DC4DA030B7602D541610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.372{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3A5CCABEFD89ABA2A041F68C21DF2C,SHA256=EEAAAA745E15848D430603B54ED5BF8FA1A1A6EDD21ADD5D62F5E03C18E7AC03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:11.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51031-false10.0.1.12-8000- 23542300x800000000000000053388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D17BC50FA381B5489A37761D86C63DB,SHA256=ED5557519D585D77E747B3E41B4B348E4544315923E6F1CF089B37B50BC9E203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:14.155{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF154A21EF915161BC91BF2B26E1A0D,SHA256=FDE2635449CCAE858A51702DB6401A9064D12BE6B1BFB76373698C98E0D0CF2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.512{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.012{53069400-F3E5-62DF-9003-000000007002}33363624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.794{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0ADA6F59852D2CE8A9D3E3FCAA00DD,SHA256=ABF95E6BF2B407CF6F55D392EA072512E5C0A7135744F660B342DE0F53B62BA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:13.167{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64964-false10.0.1.12-8000- 23542300x8000000000000000278157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:15.200{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0399AB257215AB22D9B1E713D642D211,SHA256=392C64CDFFA6F5F41891995AEF724A5B98C028E475DC4428731587C3924DCA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.293{53069400-F3E7-62DF-9203-000000007002}37643940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.137{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:16.871{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A337A82AD01F186E271F8277D5763F09,SHA256=64AAEDC42B628DA9F655497ABDB331431393BEE07E5EED2FD1AD43C24B0D6B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:16.761{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D8BD6E44C96E0FD339B4B819930635,SHA256=160A81EB3B7B2445C40813502C9FFDB799947B887713444A2FC7CEC6637EF1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:16.255{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAAA1CF1AF5293C4822A54A2BCC31B8,SHA256=261A98B7402F2BDE8009252448EB4A97989AB695BA88D494ABD70EEA9CB9D6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:17.855{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8F82ED16AE953C316E1AF987948791,SHA256=AB6C4E2991D8BA7DC96C4F973F4BA39C4E8C1A1484F3000C7AF37A75459A9413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:17.285{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E383BD41954DF4AAF57EC12D995DB6,SHA256=5DCC9BBC4BBC06E9BCA2E59CB76B79583F639C6B139FB5567E70330155E368ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:18.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CDD34EDBFEB49DD676938D3B020F49,SHA256=1CA001C1F0DE339E2D47850B820162EB4C4D2B6A7AF069A005D6F807DDA053F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:18.333{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8401AB64F693454EDF007D5F8B2FB2,SHA256=E3DEED04865197A115409B793D243D3BFD4AA6A8236CC976646237CE2E4719F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:19.433{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C55BF5D78F5F51EFA1A32E4695C153B,SHA256=E88F2DB93A84A31BFBE6614D43DBC384166767876DC7331676CC7E4F851462CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:17.255{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51032-false10.0.1.12-8000- 23542300x800000000000000053422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:20.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E9D43F4051F6CFB12685763B679612,SHA256=BE7E109E251C0D7F2F3C8C0BFBA1FA8849DFEE6F7E108F4EC2B2AD7A608189FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:20.467{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F27EFA5626792182CE5BA9F5F5B21A,SHA256=660D632A6552FF1D6C3C04CB155BC1C83BD1C6E50DE470302A0ECA47BC09FEC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:19.095{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64965-false10.0.1.12-8000- 23542300x8000000000000000278164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:21.513{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68B302A97EC3DF53FD9746F1058DEF0,SHA256=8D5B24F0A4537584F847A03FCC63B89097AA957F96568495174DF0C98236ABF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:21.136{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3B9B702593859C91D04963E5DDB127,SHA256=F16FFD680C5CDC3E1D4370E6AF3867FA5503C1EDF658BB4BFE790ABDD90DE9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:22.550{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D984FD12D8E74125B8E79B3674DAA5,SHA256=F34E8565050E967A1FFCD5EFA3FDF53F6FE67AEBAF44FAB5B131524D1544C775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:22.639{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-109MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:22.230{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230A487534FFF82E28FC6EC8534AD0F0,SHA256=DD50EE09FC430ACD67436DA445A4F3B1647CC859450226BF58426608A10F1F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:23.580{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FE6AFD54207A23BEB1DA6BA25B1C53,SHA256=3648E9EAFCAA5B3D1A2C1EB6246F3730A1D975F69D3E7C568CF6C6D3796FEA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.651{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.323{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5059ADC98D22DDDE06FA55A4BB56463E,SHA256=83575CC88F0D185C8A67AB7BDD5CACA643E27EC946980D894D3D6D5E29775D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:24.628{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFB85AC53A714817E562C442AF4823B,SHA256=7DCEE76BC0572ED59E9243F0A8E7B5F29476CA6A3E2780E405A5CA4E18029EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:24.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7C48742C843F1D7E5C02DDAE6D212B,SHA256=1BDEB675B1D964042B8135EB9D6B0375C5887EE2AED48B3F17A60B375A3C45F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:25.663{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9266AA328D2721C043D6C178FD0D2E10,SHA256=5D5D49947796A0B3B7E2D7244FC17A37309AE33D4E7F2920EEE4F2C10EB40C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:25.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B13381959014CDD48132BDA78D181F,SHA256=5022339BC86DA47943C3814C702219327CDCDA0F08BBBF58EEF47FD165621806,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.144{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51033-false10.0.1.12-8000- 23542300x800000000000000053431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:26.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA676CC876E65980987CBEDC6AD08516,SHA256=2D63D015E6BAC20648D8347BCA5D34CD9E99CF9E54C99D92F4DC42CAF2674DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.779{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5568105FBC03C9DD3E9F74BC13AC23,SHA256=671BCD7280CFDDAE3097146EEF6A6344B3DD60A9D5736165649FF31441896687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:27.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86198BE85EBF10CFBC34135483F0DA2,SHA256=C8E92FFCA70796E500F1FD275692750DE711E4982788C797757131C3643DD778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:27.795{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2DF2A4AE4EC2CCD945CE27F03241DB,SHA256=168D1C4646651804D2FA7DC540F3217D863E9C467A54456DB5745BB8911B2BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:24.190{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64966-false10.0.1.12-8000- 23542300x800000000000000053433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:28.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC09E33615F11A5DED1EDE149B83EEA,SHA256=89C61CAAAD668CB34ECDA7E26976F917EE8A456AA896D52450C5DF354CF06A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.964{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077BBE2EF5DCCA9575187EDFF2E921AD,SHA256=12AF2A5ED9BDF3D2E1E3218D6877C7CCD99541DECE85B55FD55DE05306A71470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.725{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.725{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-F3F4-62DF-C204-000000006F02}81807160C:\Windows\system32\cmd.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.708{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-F3F4-62DF-C304-000000006F02}58204968C:\Windows\system32\conhost.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-F163-62DF-1F04-000000006F02}22643024C:\Temp\dcrat.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.659{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:29.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CE84AC81448A035178CA8264B7171E,SHA256=070012C7A1223255D445B3F1ADCA8423597E76E0517743977F786B896211CC6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.850{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.850{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.712{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5497675E4256637248AC4C32944B4BF6,SHA256=AEE36CF6EA39D8DFC2BC57AC56E82C241DB46720C62F47CF64C940F4F0E937A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:30.981{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6175C9DC77CD87A726462A3833C457C8,SHA256=B3FC716ADA551D02A90AC8EFF741CC36D75D145D7DDCF49698C80C28E1DB2EE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:28.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51034-false10.0.1.12-8000- 10341000x8000000000000000278257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.012{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD0C3A60753557C792335263A965692,SHA256=62EF5ECF6636BFAE7903497F07080C377ACC30A40E5EEFE36BAF5808082143C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.894{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.894{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.663{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B1856292E6834D556F4B1FBDE93E45C9,SHA256=0EA511CCCB117E1A9981C0132981C6DB64E7CABC251128F89AD97AD8A2CE094D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C29427DEB6FA0382DA5A44A94A485E,SHA256=CA40BAD5B862F12B59B731E01858D79BB698CC11ACFCAB46C937161819EEE5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:32.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3CC33AE435A9B94D2BCD5F8A6ED9EA,SHA256=2642DB76A60EEBE3E19901FDD1518D748557A7E6FBE09B56C40B3F55994490FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.928{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.925{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000278275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.478{F81F30E6-F3F8-62DF-C504-000000006F02}76727768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.248{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.110{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF58F043CEEC5F840D083DFB6EB58D96,SHA256=6664419A5ED18CF6BC26406193D30673E9846BEDB67233A4AF950CCB2AD75432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:33.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA1ACB968CF3099A22C48EB312C778E,SHA256=A85F168F424679FC1A72B66C7B19FCC4C0ACBB71B67016BF8C01BD74F2F5D9BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.464{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.150{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D45B123125A94230F7A56224528DB7E,SHA256=9A2C5C0136EE11AC3C7B23A38A514C301FB81B44DF1CFE996DF2CE0D19C6169D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.150{F81F30E6-F3F8-62DF-C604-000000006F02}30848168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000278284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.078{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64967-false10.0.1.12-8000- 354300x800000000000000053441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:33.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51035-false10.0.1.12-8000- 23542300x800000000000000053440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:34.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54459C94FEB6913E517A660361985B0,SHA256=F4CA2F7A7D605E06304CD208D349B2ACC55569B87631D3A95FAEC0212A537794,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-F3FA-62DF-F304-000000006F02}87248748C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-F163-62DF-1F04-000000006F02}22648656C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.938{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-F3FA-62DF-DF04-000000006F02}70047924C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-F3FA-62DF-F004-000000006F02}86328660C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-F3FA-62DF-E204-000000006F02}82568260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-F163-62DF-1F04-000000006F02}22648576C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.882{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-F3FA-62DF-DC04-000000006F02}71885136C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.870{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 23542300x8000000000000000278734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF604104B052EDFFBFC79968FBE9F62,SHA256=217065C4514A4A8B9B6B69DA102907BE7FDD8AF5AE6C1A3004329284AEDFB958,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-F3FA-62DF-ED04-000000006F02}85488580C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.826{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.826{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.824{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-F163-62DF-1F04-000000006F02}22648484C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.824{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-F3FA-62DF-DA04-000000006F02}70844128C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.813{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4B271AEAB9E3C3B620E053CB7D9480DD,SHA256=014C122EABA681E4152600DA5A857AD770BFD2F9A245D54DFCFFF0E4E0618CD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-F3FA-62DF-EA04-000000006F02}84688492C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-F163-62DF-1F04-000000006F02}22648392C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.768{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-F3FA-62DF-D704-000000006F02}70167856C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.745{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-F3FA-62DF-E704-000000006F02}83768404C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0E867D3E35CACB53CD6BAE9B23DE38,SHA256=15864B251C672611543DE2B620F26DF11ADAF72870B0C9812CC36E113CC90BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.728{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.726{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-F163-62DF-1F04-000000006F02}22648304C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.709{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-F3FA-62DF-D504-000000006F02}63845132C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.674{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-F3FA-62DF-E404-000000006F02}82928320C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-F163-62DF-1F04-000000006F02}22646824C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A9CDAC542A508FA28EFB7B46C9DCB4,SHA256=C3F63A560BD62241C8FB6439329AB110C6D713859C5B431D6025BB3E55EDF36B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.629{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.629{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.628{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000278586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:34.027{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BE9FFD5A750BB034D19294D9BF3BCA5,SHA256=2D9BDD234D74A1CA5E6B5203B77188527BDA2A91C60AE566769811A1F1480C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000278574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACA3E2DA0189E661BDD789422DA4D72,SHA256=2ABFCF95AF035F5D51E1671F62FA49B38E4CFA4357F273A9893ABC112DC52F74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-F3FA-62DF-D204-000000006F02}67766496C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.613{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-F3FA-62DF-E004-000000006F02}77688216C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-F163-62DF-1F04-000000006F02}22647380C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.589{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-F3FA-62DF-DD04-000000006F02}19285620C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F3FA-62DF-D004-000000006F02}2820372C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.556{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F163-62DF-1F04-000000006F02}22644360C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.528{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.528{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.527{F81F30E6-F3FA-62DF-DB04-000000006F02}68646168C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F163-62DF-1F04-000000006F02}22647320C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.508{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F3FA-62DF-CD04-000000006F02}25522560C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-F3FA-62DF-D804-000000006F02}52967096C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-F163-62DF-1F04-000000006F02}22647672C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.469{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-F3FA-62DF-D604-000000006F02}35043100C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.430{F81F30E6-F3FA-62DF-C804-000000006F02}67365888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.425{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-F163-62DF-1F04-000000006F02}22647392C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.413{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-F3FA-62DF-D304-000000006F02}965744C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-F3FA-62DF-CB04-000000006F02}70565248C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.373{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-F163-62DF-1F04-000000006F02}22643452C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000278398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.351{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-F3FA-62DF-D104-000000006F02}32966356C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-F163-62DF-1F04-000000006F02}22647496C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.305{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-F3FA-62DF-CE04-000000006F02}42367092C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-F3FA-62DF-C904-000000006F02}12766820C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.290{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-F163-62DF-1F04-000000006F02}22647384C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.267{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-F3FA-62DF-CC04-000000006F02}80566472C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-F163-62DF-1F04-000000006F02}22647692C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.238{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-F3FA-62DF-CA04-000000006F02}65928064C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-F163-62DF-1F04-000000006F02}22641256C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.210{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.177{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9475163694DC3BBB29B0A0DB41FD85B,SHA256=3A81575C15251AACF26A7D8593A0294F55965463CC831B76ED590361A9F1F80F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.129{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.125{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.125{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000279199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.944{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.924{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0944A9018660D55BC3F8CEC53CAC8842,SHA256=1A83C5251B539CEB67353E4C9D4FC9F6B192BC7F59BCFFF587DAC7D37136B7D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.891{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.844{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.844{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC92B49440C47DA5D11F06313C8E5CA,SHA256=B11EE72131EEBF6F9954D26F3E09665948D3FC0BBCC4C2782E794547D5AE0FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.829{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.829{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.827{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.824{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:35.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94455F84615029FBBD46C460ED454CB,SHA256=7150F2525C650C3AA029576735CED2A310802F76C3A7C2F239639D27DC3A9B24,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000279145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.824{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000279144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.807{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.791{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.791{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.727{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.707{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-F3FB-62DF-FE04-000000006F02}90489052C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.699{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.676{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.676{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-F3FB-62DF-FA04-000000006F02}89528956C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.649{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2DA3B3912D16AEE669C628952F85BE2,SHA256=F47950038A0EEB119CCA2CEBAAF6150FCE4FEAA350DAD0AB4BAF2F02D485CFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.626{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E31BB7D8B25AC5CDD46694ED3C7B1EF,SHA256=3E610AE936EE60F27E4BCCEA52FC30C8365D2C35C5F3B1002957FE23B20FFAF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-F3FB-62DF-F704-000000006F02}88648868C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.604{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-F3FA-62DF-F404-000000006F02}87808784C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.540{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.527{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.507{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.507{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.476{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-F3FA-62DF-F204-000000006F02}87168720C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.471{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C48271FB219FD5CBD639D245BDB8C39,SHA256=86D2320D12B8537B8A5ABD3827601EF07F22670C0C403D4555F620CCE91576B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-F3FA-62DF-EF04-000000006F02}86248628C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.398{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.376{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-F3FA-62DF-EC04-000000006F02}85368540C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.307{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6607AA6D19D3728C3C98A1B9049993B6,SHA256=6785DBEB411ECBC3134A0648E5A41C2763B97D4FFDD3A73C826AED838B412273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-F3FB-62DF-FF04-000000006F02}90569080C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-F163-62DF-1F04-000000006F02}22649008C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000278938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.208{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.208{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000278929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.177{F81F30E6-F3FB-62DF-FB04-000000006F02}89609032C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-F3FA-62DF-E904-000000006F02}84608464C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.170{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.149{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34C4ECDEE3CB1090CDEC79140D18067,SHA256=6DE4DCE206DEB70179401FBFDD55D0F41F0432DE68DCB7963303DB1D05FAF77D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-F163-62DF-1F04-000000006F02}22648900C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.138{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.129{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.129{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.125{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD28056C01EF07C7E46AC0648E2DCA3D,SHA256=FFD6D42D5A4530D4407DE3936E98129548259405A16445D9EA8EBFC9B5C9B2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-F3FB-62DF-F804-000000006F02}88728924C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-F3FA-62DF-E604-000000006F02}83688372C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.094{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-F163-62DF-1F04-000000006F02}22648836C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.078{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-F3FB-62DF-F504-000000006F02}87968840C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-F3FA-62DF-E304-000000006F02}82848288C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.003{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-F163-62DF-1F04-000000006F02}22648744C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.998{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000279245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.893{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-109MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.392{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B3FB8FA1819203F0D95A63AD66A102,SHA256=AC4E0A5EE7E58A69D5CBB3F44BC28C561410B8DFB8A4E74B742DCA113D50F355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9C8F61DF01CC442373C31F995DDE81,SHA256=4923D30BC02F339117C9769FDC525FF6E8A627640C5A4C4C7D5B12BFEA1B8260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:36.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6691D697F58F16F35E196ADD3F554F37,SHA256=8279DE149006903D65C0DEF4C1078DB15A76B96243D97A74E8B9004D9B25BEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:37.907{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:37.543{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B9714A7C74D584ED93B2AE6156AB49,SHA256=21F099818ADAFB4CD473941DA8C079102BDFF2AFAB136FFC66850D806D086336,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000279246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.156{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64968-false10.0.1.12-8000- 23542300x800000000000000053444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:37.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95FBF2E3DAE7079E5410207509A3021,SHA256=8C53198F4F89BB299B8517130DA2EB74EF600F280F7920096B57AE96329055BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.674{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.674{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.658{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A73B770770CC1B06D872F41DB8A95B,SHA256=FB355A2F92AAEAA981CC4DC3CD44E5D569281DBD3524E91AA9016239CEF595D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.627{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.621{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.605{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-F3FE-62DF-0805-000000006F02}93609364C:\Windows\system32\cmd.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.602{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-F3FE-62DF-0905-000000006F02}93689388C:\Windows\system32\conhost.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-F163-62DF-1F04-000000006F02}22649356C:\Temp\dcrat.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.535{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:38.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837F674E92AA4A9428BBAB3144B41469,SHA256=40A824923C87C4FB8683488CF24F44F103326C3C08895069E77751D5147FE7D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:39.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D341CF8A5F72B68A71AF9A0447ECE8FC,SHA256=1A0F62F6F7EFA20CFD80E29F8BE61EFA963DD611D58B4E0967D5ADE45BF4C99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:40.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC13CA625731590C48C8B27BFDA181E1,SHA256=49A48B0339AB63F23CA25B58D8A0085A1E670648672C271A6B6E058BC730E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.972{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA700F7F2095E4FDB80009802754AE79,SHA256=98A1BB971173C31E4A572254657EF1FD76441083654AEAA3F9FEFD45A4D73D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.104{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53489EE9E960F1F71F23F9F40BD0353,SHA256=0E01A1BA72FF7C7FD644914AEFEB67C27D2D1690034D1399CF4D5DF5EFFB51CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:39.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51036-false10.0.1.12-8000- 23542300x800000000000000053449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:41.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B58A2C7135518EFE0C79D7152570BA,SHA256=91F16108C2D738CC26046FFF66725CAC6611AC3AEBC21CE805865A1EB07F0F05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.989{F81F30E6-F401-62DF-2205-000000006F02}1001210040C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-F163-62DF-1F04-000000006F02}22649960C:\Temp\dcrat.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.966{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.942{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.923{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.923{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-F401-62DF-1105-000000006F02}95889592C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-F401-62DF-1F05-000000006F02}99409968C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-F163-62DF-1F04-000000006F02}22649900C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.892{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.873{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.873{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB3999A1474FE1504C0CF02162538D9,SHA256=D1DC7A66417B77CB6F5BE5A6C658D685A13577C000F099967D54A10063135638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F5AF6E1FADA75B24055EA6E9B2A0E4,SHA256=6CEC3DC5F7A12E6381E952D52EA9DA5C5F8F80A3722E5DCB0F981ADE827CF1F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-F401-62DF-1D05-000000006F02}98689904C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.826{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.826{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-F401-62DF-0F05-000000006F02}95489552C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-F163-62DF-1F04-000000006F02}22649828C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.815{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.773{F81F30E6-F401-62DF-1A05-000000006F02}98089832C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-F163-62DF-1F04-000000006F02}22649744C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.758{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.726{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.726{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-F401-62DF-1705-000000006F02}97209764C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-F401-62DF-0D05-000000006F02}95049508C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.715{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-F163-62DF-1F04-000000006F02}22649684C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000279438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.684{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.658{F81F30E6-F401-62DF-1505-000000006F02}96769700C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.658{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-F163-62DF-1F04-000000006F02}22649624C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.644{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.625{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-F401-62DF-1205-000000006F02}96009644C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-F401-62DF-0B05-000000006F02}94609464C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.616{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-F163-62DF-1F04-000000006F02}22649568C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.594{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-F401-62DF-1005-000000006F02}95569580C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-F163-62DF-1F04-000000006F02}22649520C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.555{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.526{F81F30E6-F401-62DF-0E05-000000006F02}95129536C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.525{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.525{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.524{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.523{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.521{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-F163-62DF-1F04-000000006F02}22649476C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.510{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-F401-62DF-0C05-000000006F02}94689492C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-F163-62DF-1F04-000000006F02}22649456C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.486{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.972{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.957{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.904{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-F402-62DF-3205-000000006F02}72647308C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.863{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6541909B6ACD29525795A679297FC354,SHA256=43FACE1E9AE23466F8FCD2BA7E15A8FB11372BD62C74CE8C270F2091F7EF1DC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-F402-62DF-2F05-000000006F02}81726276C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.811{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-F402-62DF-2C05-000000006F02}74089348C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.758{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.741{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.741{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1F3676CF8B3CB636DCAF66C15D7427,SHA256=CDD11130A4939590BC022AE4C424B9253FF4FCB65F0AE0CB700E73692C58084B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.724{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.722{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-F402-62DF-2905-000000006F02}1023210236C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.701{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.641{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.641{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-F402-62DF-2605-000000006F02}1014410148C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.635{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.623{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80C2230EE5268D5607091E50D87B85C,SHA256=472B327627D0A46D36FA70922286A83840DEA90DB31960203AEF6D209A9CDE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09575DC38C2F4768891BE9F4A41C2DD4,SHA256=EDA49FE36F1F115FEA78F4AE1B3AFA6CDA417585A6DB340A672F862E1FC95E8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-F402-62DF-2305-000000006F02}1005610060C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.560{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000279798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.231{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64969-false10.0.1.12-8000- 10341000x8000000000000000279797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-F401-62DF-2105-000000006F02}1000410008C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.494{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-F402-62DF-3305-000000006F02}69087384C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000279776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-F163-62DF-1F04-000000006F02}22647580C:\Temp\dcrat.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000279769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.454{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3232752DC701416E919F46B081132E0C,SHA256=BE46ED05AEC07D708F7792A098F875BF74A69C91C588AFEE2884D28448B5943C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-F402-62DF-3005-000000006F02}6852216C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-F401-62DF-1E05-000000006F02}99209924C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.412{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-F163-62DF-1F04-000000006F02}22644896C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-F401-62DF-1B05-000000006F02}98489852C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.364{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA34295B5E271885F5D6A76ECB7817EC,SHA256=D73C35D9862E44B28104FE9A99DADE8A91E575BD6CAFB5E6FFA609D6FA3FF0D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-F402-62DF-2D05-000000006F02}6687448C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-F163-62DF-1F04-000000006F02}22649300C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.294{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-F402-62DF-2A05-000000006F02}82769352C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-F401-62DF-1905-000000006F02}97929796C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.253{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-F163-62DF-1F04-000000006F02}226410196C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.237{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.226{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.222{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.220{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.204{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-F402-62DF-2705-000000006F02}1016410220C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-F401-62DF-1605-000000006F02}97049708C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.190{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.189{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-F163-62DF-1F04-000000006F02}226410128C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.183{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.173{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.142{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.142{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE03CDA78C5DDD39071310B2037978C,SHA256=FF0A381C46A25087A505049004A348800CE23104F80578711A039BCC092B9AEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.142{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.126{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.105{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.105{F81F30E6-F402-62DF-2405-000000006F02}1007210124C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.105{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.090{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-F401-62DF-1405-000000006F02}96689672C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.088{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.073{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-F163-62DF-1F04-000000006F02}226410036C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.071{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.058{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.042{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.025{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.025{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.024{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.024{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.024{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.004{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD762797C208BF6320F64A6CE23743D8,SHA256=9586FBB639FD87DBED1D9B3C7925A471AC68582D578E494BFE0E2FE9999E6D11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.421{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BC97A08479D096A9CA9CB52B33605B,SHA256=91609DB0E9F305C993429FEE4EE9A0D625E49B9029056627D41A86C3348D3C3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.225{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.204{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.188{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.172{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.157{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.141{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.126{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.126{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.121{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.103{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.088{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E76A8C75BCACDD1C53945CCBCE6F494,SHA256=9E69D1261EB8F70B882C2B49944ED96F7B5AB8E4DF39E5B69620D5436BFC6D1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.072{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.056{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.041{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E856FBE47D5132F450CFB77B508637,SHA256=8459163322F5F761AC5EC80EA2EFB680FE6186666A699AC9C3FAEFB215B0AC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.025{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.022{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.022{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.022{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.020{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:43.003{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.988{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:43.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0786259CF8B282DE8A32472A6A9E57C,SHA256=3A40784A2E2FA31E8A25C4E91ED00C4B2DBB1A86D10D054B9C3559062802F07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:44.125{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA2CB43E4DAE3791A77D31B7F39D3C4,SHA256=9779AE00D3D1FC006D6E277071B35AFB57DF796A92178474E636CAD99B547F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:44.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4CF65EFC3CD6DCDD90DD2BE2C274C3,SHA256=2ED4704E6148356F71841C8197CEE32557C3E9EF0C14E2226F8508CEB908DBFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:44.192{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51037-false10.0.1.12-8000- 23542300x800000000000000053452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:45.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1014EA51EB5A2488352CCD17773E5F0B,SHA256=F22BBD7E84A09A0AD4DB67BA1B05C03BA6F32AA1C294FAF54F57016E474FC8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.519{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC64E711DE80116C916822EDE5F3DD4C,SHA256=9DC37A42E61292ECA0DAF2FF224ED57D954DA52EA885885A4B6D26F8BA68D159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.487{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.471{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.455{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.440{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-F405-62DF-3B05-000000006F02}1045210456C:\Windows\system32\cmd.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.430{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.424{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3D05-000000006F02}10504C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.402{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.386{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.371{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.371{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.371{F81F30E6-F405-62DF-3C05-000000006F02}1046010480C:\Windows\system32\conhost.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3C05-000000006F02}10460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-F163-62DF-1F04-000000006F02}226410448C:\Temp\dcrat.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.359{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.355{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F405-62DF-3B05-000000006F02}10452C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:45.255{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18E4CB74DA5EDBEA5161E9B9793983D,SHA256=FE7BD4768BDFEB5A2644256C7A65331B0E754CFD7C5B46E905E7B16203259329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:46.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5595E2FC5BA73E8189883BC11CACE65,SHA256=3EA9307E1528A6B4BF42C8D2CAFFABF8ED19DE48ADB817522F3428476C9578DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.539{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.386{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D3D5F9ED3D193F8A3B9F2A97130E1E,SHA256=2733B1311ABC57BD0F247218DD1A3CDDF56F643924B9990525C69A3A369771A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:46.012{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:46.068{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51038-false10.0.1.12-8089- 23542300x800000000000000053457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:47.387{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F31C88412490EDB70ADBC6F977C7F3,SHA256=9FD6B97F1917DB02ACB50845324BEE092C6E10ECF5483B02D979F905832227FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:47.501{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3722C060DA5795B85B065CF3C4E228,SHA256=E09C8E6F45453763ED612BC7C44E6C354D308AA2AE1EB5831B24388D14012026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:47.168{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5D02DDD1BEA22AA58CC5236F247091A6,SHA256=70B755EE9E0E81E86DC5585C987CA2D6825C8183FC3769E2AF7B34B30F0EE7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:48.481{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB87DDF6FBEEE3A9C85511EAA77EDF3A,SHA256=78E0D1E261C60A0E23637406134BF83953F2845F63E1C5E1DAA44F131327B63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:48.538{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C31AC7E6C903562703F02398219219,SHA256=FD8E978C2AA1B2B4B0A7E0A139570A881A8F17FEC978CF9866DF6CE5728479E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:49.574{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78BC6B8BE8F1A31E20C2A649189C7EEF,SHA256=DF61DEEC76D109EB21B64A8A7D9DAB44F55BCEB1FECB304316936EEDF3192373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:49.568{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C4FF7CD83BE7A3885717ED6AA71931,SHA256=4BDC3CD35DB70EC127EE904815EA84ACAC61748E5D239B2EF7DBA8E59959BDB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:46.129{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64970-false10.0.1.12-8000- 23542300x8000000000000000280149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:49.020{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:50.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF3A6B906C2286E84B00B6B77BC4D3FF,SHA256=771FB1B7CFE6EBDEF0B17B7C749CE9F6D8FCB9E6CD6C514BECBECFC5E13FB090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:50.598{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8785A2F4B02D5A5ECD1CA1FDBC615906,SHA256=A202A0A93ACF1F9A6661BE19DCE2FC81FB2160DA4E389139017082FFE9246B71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:48.012{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64971-false10.0.1.12-8089- 354300x800000000000000053463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:50.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51039-false10.0.1.12-8000- 23542300x800000000000000053462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:51.762{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EF05798787A7A3B15C427063D01471,SHA256=9ED2AA9356E52EF8866B27F0D21383356D00509E4F1EBB0FE7F3581E78867224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:51.751{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AB8CD8EFA7AECFFBEF3999882B6801,SHA256=EC23E8DC7C2B34654C377F4D5DC3F703F73147FC3D6EB9DD4841D141B5494DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:52.856{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BD12F89176E9703757F72D2B386C1B,SHA256=C2CFE3B31EDD01FD402410753E698DC07FCBE7619C5A7994D6275B30BA87215A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:52.797{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EB0D48D464F00CD7FB4489C0D02CEC,SHA256=A57D66E0B623FB582FFD7B8D37C9FD0B401C62DCA141C9DD43D7DED30A2210F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:53.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33EA17C7E9304FE0A14FFCADBE646D66,SHA256=9517D47D7F26251A32C57026AAAD3719C499D69F15BF19EFE5646C348D323A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:53.833{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC008E2CD95B1D8CE149429FE3F2131A,SHA256=1809D9AF25FBE7A16D2D6DB386A4111998D320AE8168C381F1899211B1D266CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:53.765{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:53.765{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:54.953{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E7EAA5E4D5D8BB2A60BE8B9977AA7F,SHA256=D092CBE727C166715264E4E5D490B68C5AD44536A32ECA4C7CB45EADA0F7126D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:52.062{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64972-false10.0.1.12-8000- 10341000x8000000000000000280160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:54.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:54.466{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:55.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038188FB892D9C80BA14202626E62B2A,SHA256=C5F49AC912E5DEE4584BCA3118B0C8B72C71E93ACC297CD3DA71DFB6618E75E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:56.137{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D966384FA6B3C1AB7EFE574762424DE3,SHA256=3EABDCBF02FC0A8E67B08B98E0F4B979C0BF660043293E0AA177DCE0E4B0C4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:56.054{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390E6E0D790B960BB7BD2A7730545FFC,SHA256=FA0FDD97CABD89BBCC752E8818B1B12D8FE35F915CADDD003183D0886632C9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:57.231{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1D5231ACC9F5FD22A7ACB3786FD2A2,SHA256=A8B5F95BB0BE75219B77AE3921ED5B7291F98D61D027DE0FD8323BF48B9227DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:57.099{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAA60B1C9941B3FE82DAE0442212E32,SHA256=FB0DD70BEA2D314ADD7107A87557F71CEA6D19A43DFC1D66F833CACB61028FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:58.324{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5F92F81E9DF6573956559AEB9633B7,SHA256=15200313A10985E0D3F55B014123843FCE7B44FDB345B33209CB4E64E9805DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:58.151{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34DF97FFCB5658049C299103F1FF972,SHA256=8B3462B06C652D1590FDDFFB5D5296246D70615B37325EAC9ED1C08BB8905235,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:56.271{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51040-false10.0.1.12-8000- 23542300x800000000000000053471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:59.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526227A74753C5C6180E41D80ED607E,SHA256=DD4154226D2D2276235682AD7EF4ACFE1EE29F7475481D4F0CC7178CD3D078AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:57.247{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64973-false10.0.1.12-8000- 23542300x8000000000000000280166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:59.182{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1322C816EBB275D023B4BC8B1D242F,SHA256=AFFD7E536F314C297788F1529C763B81DF20771713EB529255D655E266BCCD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:00.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACA53675110ADF6493E967097BB99EC,SHA256=D71010B96E022D2F2FD080D41ABE4B1CEC67A53F885FA91AA995A9F94E730676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:00.933{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B966BA3F8EF5160FB05F6DAA2D06FA4E,SHA256=28933204C4FC71AF96FF476D91678B080128B06F75224CCE0D95E36BFA4928D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:00.234{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF363407626259A080992B6B0AEEB16D,SHA256=EC116E847E1C17333C237E20CD91D321D7BFA5E4A7266C5C14C573BBF52C8D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:01.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFABCACD29780967CF124A9658655F6,SHA256=C6A19E2959AFCE04BEFA405440F99DB672D0FD9907E8384C9B6FEC19611F9266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:01.279{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2963ADC477EB8E3D314053B5442865,SHA256=5A2E06255D6F77AB782271A1A9BA770B5A2D7CF0E4DAA0D09A316BD543905762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:02.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0101D39275AEFF22375B0FF2B401B88C,SHA256=C4E0869A5B56E8D0DB09B1081D25E428C798DF90B1E3CBA2DD0D63710E3C3F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:02.311{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F6888EE0CE961A64BE8737C12F768,SHA256=A04C5980C124DCE2B0AC7DB437D3E04A5B0E7C2CDC028C5DAB67EB61D7B7CBE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:02.286{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51041-false10.0.1.12-8000- 23542300x800000000000000053475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:03.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD7320435143B01213D0C3A10717925,SHA256=911154CCC66756A74A5356DC02074389C8033B5005C54D523A13B8D7CEC18291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.830{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C69D6236F9713FFC42407A363B777B,SHA256=3C00142F04E09C8A9832C3F721CB974D78D63349943C12669BD82AA8E7474375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.630{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71230E20B3BB2EF08F23623792FAC460,SHA256=7B6D64E9D4A2E5D97DBAEBED055FCA869F21AACFA44B9EB5C8890A949C2C8904,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.315{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.262{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.262{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-F417-62DF-3E05-000000006F02}1064410648C:\Windows\system32\cmd.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.258{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.246{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-4005-000000006F02}10696C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.231{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.215{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.211{F81F30E6-F417-62DF-3F05-000000006F02}1065210672C:\Windows\system32\conhost.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.193{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.193{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3F05-000000006F02}10652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-F163-62DF-1F04-000000006F02}226410640C:\Temp\dcrat.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.189{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.177{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F417-62DF-3E05-000000006F02}10644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:04.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E080E9EE9DF652E7B567F355CAE0C33C,SHA256=8E097A68E73F753925238EDAEEC933A81BBD4C90DAF07BDA91153659AC4089C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:01.722{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64974-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:01.722{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64974-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000280239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.761{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58EF360CE787121545F9212EDC873685,SHA256=F25EE7042C26B2819615D27647B6F11C1BADE0D8BD4811DC1987D7493A74613C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.714{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:04.711{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:05.981{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E948EFDE16C7E99837DAB62A9A894FD,SHA256=F7F092F4C3173B64FD714A1524C5E59BB3D84AA29E349D3EDE1FBC7D819B11E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:05.911{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E3E0EC55D104A16857A9EA1FD16742,SHA256=FC33991BD093E1DF2E3633FB57F9048FB8BE1CA235167A4C9B6ED93BF723A8A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:03.158{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64975-false10.0.1.12-8000- 23542300x8000000000000000280244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:06.943{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBE80A05AD0CAF859E2663F57C999DF,SHA256=BCD8EAC67E9FAD610F945D449A264D271405E51A7FB9DBB53CA8965F9FB85D96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:07.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE8FD8D8895425DDBE6409C073943F0,SHA256=32208D278DD1AFC04839580584725E8A6DAB77CB1C7F6BF87D4CF6D8DE8202C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:08.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A76214EB66DA2EE525774D119AE104,SHA256=0038D8BFBD8EF162E57ECD46DB80825FEF3E012EF2085BD5EDF1BED4C486EB66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:08.108{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:08.108{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:08.059{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A09991D601F1C050DA832E24AA14C2,SHA256=2D8F9879C676A55FF7009040E97B85B4975A3EF1335E11164EA4E4AA1DBD9A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:09.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED2803B4DCF9A385A096D3536AF87CB,SHA256=5150790B3602E84E23907F60A831C25D37A61A5C3F0EBBAA6648AA914C84810C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.559{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.559{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.190{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0B5BE832EB8DDDF05E21F4FC092D63,SHA256=185A92C26D28D4E4B339AFEE6DC8970BC5283C9218B5F266A094C63CDA71226C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:08.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51042-false10.0.1.12-8000- 23542300x800000000000000053482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:10.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C400AD7D12588064D5CB0E1850E2EC4,SHA256=A95720F3DA7735E66D3BBD6DC516BB0C01EAF937791E87AC2E7CB1FFE9D0778A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:10.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:10.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:10.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5895FEED4444AE28357D21AA2ADB849C,SHA256=FFDF0CF8175C49D1157C5EF7653BA2A7C1211F2779CA2EF3E014A814E3BCD162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:11.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2DA163638155AC4B5D43E77388F446,SHA256=2FFAEF0B6F6CC7FF91DDE7DC0706EE8BB5EF46408E105E7C298AF17252232CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:11.407{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2A76B01035140C446ABFA7F8BA1896,SHA256=ED508FF81E0DB5587DB4F5EFE93771001A3C16B2E57B7B73A45C515410519E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:12.542{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F3B493EDAED1780B3D532D982A3CCD,SHA256=D74DF97B8FEB7F62AFDBF1706CDF43961CAFAC4D57489F5FE4F65E54E10EE2D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.872{53069400-F420-62DF-9503-000000007002}1284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFD7D4CA85B88E5AE061466B7AC3CD7,SHA256=275E90C2AACFB41308ABD6CCB43F21784AE55AFD67805E8C7A1B4E8FA6CF7CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.387{53069400-F420-62DF-9403-000000007002}3096596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.199{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:12.200{53069400-F420-62DF-9403-000000007002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000280255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:09.171{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64976-false10.0.1.12-8000- 23542300x8000000000000000280257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:13.589{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C6ECB65FD939D85FDD7A3EB6EBC438,SHA256=091BD957856EE4C87046D81C0329D41239FD09B67D6C18354CB6EBE5A8A25FE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3A06D776D4DA9AB30F93A81796C993,SHA256=127740789E77D52B016F133A8B0D5B4BDF0EEC4428816416BB96613E7657AC3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.872{53069400-F421-62DF-9703-000000007002}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.372{53069400-F421-62DF-9603-000000007002}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=239F9A15EE9689A43E24F47EC8D1DACA,SHA256=29F172CB147799F172865B536934947459AA9B7FAF6B9CF15EC51BB20AD5A8D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.074{53069400-F420-62DF-9503-000000007002}12842652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:14.689{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A208FAF078122D5FDA337E5DE5FADBA8,SHA256=EBF495120363E1C6C2E6B6C069AFA76AADC0DC020383885878D0D1FE7E8D6AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.700{53069400-F422-62DF-9803-000000007002}7161220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.543{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:14.544{53069400-F422-62DF-9803-000000007002}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:15.741{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81E277DF6988DF802C20286C189F3F4,SHA256=41DF082E417DFC222C3715A03EC822C3371D8C79DE318898FA13B0EE20F1A730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.715{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.716{53069400-F423-62DF-9A03-000000007002}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.451{53069400-F423-62DF-9903-000000007002}9523708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:13.317{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51043-false10.0.1.12-8000- 10341000x800000000000000053569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97C-62DF-0500-000000007002}4121248C:\Windows\system32\csrss.exe{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.215{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.216{53069400-F423-62DF-9903-000000007002}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:15.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88854D0FAB88308CC0DA3E813E38D3F,SHA256=B2A034654A6CA359989F01716AC95A8F5091EB5D84439B26661C9CDBE6BD3344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:16.887{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F391EB48CACE6B3F0BF0D04606D8AAF,SHA256=ED344806377B7BEF0566AA0FDAAB59415347E421C0586431BD1C9B60CAA5088C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:16.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2267ABE79562FD16DCB7444DC41AAB,SHA256=5D5059A0B79731ED10187F1E81E264F49804CAEAD7DA32DFC8C67B56DF170C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:17.972{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E15649BD3E01077F4EA4017DFCC6D67,SHA256=C5D312608474860495D75CD060CA6EEE10A2E965806C541E3115B69940A9FFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:17.418{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=30C8358FA73EA96314772F0940331E63,SHA256=DAAE4BCD13B6C590A0EC898589E02B509B7EE9414689770BFFB5597EB2134D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:17.309{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5192D84E1BAF3C0AD1E1AA5EB705B7C1,SHA256=841B337EA173902D5D4DA1E2E378CDC7C9259324F289E739A5E510561202F887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:18.402{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AADB0815635442E4CFE063034798A33,SHA256=67BAF8A2FC6090251BC136A4C7353C6D0B8B30A4AFE539D42A8852016375AF84,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:15.168{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64977-false10.0.1.12-8000- 23542300x800000000000000053589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:19.496{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365EE3E0F7DF04B5D4EB7F1B2608F729,SHA256=808F74C2C67F56AE76A2D12E5704BB2A4E624BF7267D758B5E97FF238E973A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:19.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:19.424{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:19.105{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C05689DBF5E0E5919486F94C0223F54,SHA256=738A25B19567482CC8AD03B9D0AB244032E1D2A9B383C6D61770477308F6E8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:20.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45DAB8294C2C61821D71F3853DDB636,SHA256=5CFB818951977F3BBD43BB4B57371CA0FDF740832055578CD28DADBF8BF2A831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:20.231{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A429F704C88CB7693A38695B89B27A0,SHA256=91B7DEF834490313700C02A8A76DEA6DF904D985B543A9D1E42A84649CB25980,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:19.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51044-false10.0.1.12-8000- 23542300x800000000000000053592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:21.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E899940D653FFFCABA9FCBE9ED30CB13,SHA256=959AF897F9805DC374BE947C585B255A5391DFFF85CFBE129BF0C0B5A5EBB42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:21.253{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480DDF8106736049C8553E0EB6B4A6F5,SHA256=E184B42D0FDC325D0FDA73FC9FCE8982E242E9F9ADDD9DD6DD15D995BE5B90E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:22.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D7935320A423E86D8C740B17A9456B,SHA256=8C1A8AF87C2D68BCD2CAE18DA06D5C5F68218E826A15779AE964185FD734E3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:22.304{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBFED3EBA16DD08F83F8043E7B55514,SHA256=90837FDEACD6724EC7D62AA0B259EACEC6C9F048BF44E42E4094555CB83BA203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:23.982{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C205DB42B647F713C82F4CD4C607A7DA,SHA256=9A97FFD86134C1F76FDDB69485F465FB0D7485CDBB1844BFE366307FC1C79E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:23.419{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13941B2B3F86E6078698555B67DB7875,SHA256=EF6C92A768A133063A732566C5E42D8452F6147C17D074F20C5F7F43BC0060FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:24.471{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E031A5C318BED585BB3B9263BD11D0,SHA256=1F597B1B427AC4FDB647C55874AC11ED47AB536D3106DA59B995B1E671D2665B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:24.171{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-110MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:21.167{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64978-false10.0.1.12-8000- 23542300x8000000000000000280272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:25.517{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1588C71EBF9F6B2F199488679ECBC2B5,SHA256=6236DC7955A5B8F953951352D98C3CE63948447CD9F32B49EBADDCB2423E3A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:25.185{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:25.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FFBB54273465990D27A97DC93A0447,SHA256=66621650C4B2D102067B74986EA458857C7D1A5206D1B0060D33370E914247A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:25.099{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51045-false10.0.1.12-8000- 23542300x800000000000000053598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:26.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06445F5579D348CBEB8BB7B86C84E5F6,SHA256=100E26EAE9AB540F1E649B668D9743046DAE7A37DA3D8E80A80758F350806E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:26.569{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECB54D83CDEF881EE7247359D10474F,SHA256=8B6770857AFBBB342CF3D54E6503B8F204F4D4EEDC788DF9800DCDB12F2B2165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:27.615{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0F20D6CD6D2318523C45C04B6235F8,SHA256=CF9FB75B17F553645D15AAA420DFB6EDAD359331B8E178A7EABB0D0874A9AA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:27.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E399EE9BA6C5868CCD02A7CEA3FC8F,SHA256=BDCD290F9EAF5979CDA2F2558E7236FCB094F93B8186064EE3D535A3B4E0B59D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:28.748{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D609C1B33BC91298433F9AE3A5295F8,SHA256=1CC07FE229C430A7015087C75B1B500E426A1B76D440290F7C3B308AC0034E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:28.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A30F66F67426C131538BF49DA387BC,SHA256=85A810643FB54E6FB65B735858108B4078C52CCB1953ABE33145D1FF693E5F3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.967{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.967{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.914{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.899{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1642976E8E4230BE8FECBEC469F3E7,SHA256=E9F30631AC0DF66619B0B1C4F275DF7DF80365462F0B208A97E66CC44B010239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.799{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.799{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:29.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB8F0F8B3B30D86447C3916113EE577,SHA256=79C90ED59392F848BF2B6E21F59EB670AA72000D80FE9E295EE19130349E4DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:29.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:30.868{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC9F71246BE1534CB3131C390A28C3F,SHA256=E37A1EC87322468E85CFA6D5B84C2EC02222759CD5C763E9B92EBD1ACFDDBB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:30.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAC6667325A675CC9A3228BB1316557,SHA256=F33148104B618E86D9321A12B85AC8BB320F027435D3C5C292EF3842FFBECE13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:27.159{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64979-false10.0.1.12-8000- 354300x800000000000000053605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:30.161{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51046-false10.0.1.12-8000- 23542300x800000000000000053604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:31.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8A2DED8B3EB74BB30837FFF75D390,SHA256=7DBC727DB103CA44EE88808596076DC495BD3E4315E9B7BC6C46C500047B9520,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.515{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.515{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:31.184{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6F68DD26DAD128BD9594E48CA94920A0,SHA256=CF08055AA25B99BE244EF7D4918A5BAACAA53F1CF0D1127885432E4BA7AC777C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:32.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A8ED26A8DA638E5C34E824E49D9F36,SHA256=467E7E46B9A406D00B9045E65C5A36FAC911F49C2E91E8D2982F2BEDF391ECDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.867{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.868{F81F30E6-F434-62DF-4205-000000006F02}11128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.399{F81F30E6-F434-62DF-4105-000000006F02}1109611100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.183{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.184{F81F30E6-F434-62DF-4105-000000006F02}11096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:32.030{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D0A80D4E6282DB03EEE196DAF0A0CC,SHA256=2063512FE810456126ACC5014897CF4C6FE6FF251A753286CD39BBD6F0160AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:33.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2EFBF8A7272A2B6DE49C15854C81F5,SHA256=46B8900EC9B1A67C9ED8C17B84935D3971E0B343F19FBA86EDFAB5D1EE55EA4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.533{F81F30E6-F435-62DF-4305-000000006F02}11164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.247{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=904C169C0A58E2B15FEC6A7DC69D0732,SHA256=1D308888D3E965909460DB11FF294AD0CFBFBF9324C01CFB560D7568BBCBB541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.167{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F2A4450885F3590AC947940FD83457,SHA256=A25F7BC2BC6D8BA0F64C71D723ADEE886B671D7CDEB07D2A607C3553D4AEC6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:34.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B73B2D73831EC187C26492DF0E632BB,SHA256=0CFB462783B0044241DB03D98020487669E751092678516608EA74404E8A69E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.929{F81F30E6-F436-62DF-4505-000000006F02}1123211236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.813{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A7688DAE63350E888AA75AA396F8591E,SHA256=F0227FE9144B930305997EF6D5C25A898E92FB1232A274A801DCA663683C8C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.782{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.766{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.713{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.714{F81F30E6-F436-62DF-4505-000000006F02}11232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.451{F81F30E6-F436-62DF-4405-000000006F02}1119211196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4604609B6E8E75EC6074B43D5AB138,SHA256=4E8786EE96966C963B603CDEEB95DE0974E1E5D50C56C40F7E111BB45BA8D0D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.213{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:34.214{F81F30E6-F436-62DF-4405-000000006F02}11192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:34.043{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=11A7F8A5021ACE77F4D9709E240BC903,SHA256=6368523C46CEE0E09F05FA6139DB38F621FAA5EB551A64151EAA6ED355D555DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.781{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4AE24674ACAF39FFDE002929F721CA,SHA256=DEFA4649155E657F5E672F5B1E5F4835BAB677B08E9680D9CDEA70C4FED09C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.597{F81F30E6-F437-62DF-4605-000000006F02}1034010400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000280360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:33.110{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64980-false10.0.1.12-8000- 10341000x8000000000000000280359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.397{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:35.398{F81F30E6-F437-62DF-4605-000000006F02}10340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000280371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.481{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFABE2B6D4D1734935829005358E563,SHA256=29F69B91B6995C7204F68C90E43E65452C059EB4A51AB7A4A06E93CE16691451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:36.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C11248E349ECB0690331CA5AAD5FD2,SHA256=B348FA0078D249FBAAB4B07C5D8419A7F0C98B435F51BDD4B39EBD202958D040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.065{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:36.066{F81F30E6-F438-62DF-4705-000000006F02}10536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000280409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.964{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.964{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-F439-62DF-4805-000000006F02}43204120C:\Windows\system32\cmd.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.939{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.932{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.895{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.880{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.864{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.864{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.864{F81F30E6-F439-62DF-4905-000000006F02}63004312C:\Windows\system32\conhost.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4905-000000006F02}6300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-F163-62DF-1F04-000000006F02}226411028C:\Temp\dcrat.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.854{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.849{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F439-62DF-4805-000000006F02}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.512{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D83454B68B6B667E342ED360650849F,SHA256=B482CDBF54E3D5F9BD28C947FD6A387FEA4F916EE7564C0A9D6A62E5B7DF61C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:37.106{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E071D12A1C213D9BC4F94563896364C2,SHA256=4F548D61E171AC9176C15E2F3508408DB869E3244C1ABE7F53D2BD0D9721E108,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:36.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51047-false10.0.1.12-8000- 23542300x8000000000000000280427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.927{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFE18485DFF5ED34C2DA1C9ADFAF5F8F,SHA256=B9BD94FEA5FA0C224BF7CB349D9D1CD46A1F2C5E0F18F21C8E4C9BC0462DD116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.895{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDB42E56DE5AAE7660E9E109ACC92AA,SHA256=B7AE3D79C4515D0AE5182F5317B22359A391C4CD7DD62B38751DBD6694FCF675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:38.199{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92D22C62AA80FEF34BAD516E6905B107,SHA256=F2F34916A383CDA99C0245A7205FCE5F957D32C2B3E3857B1827C682A35D3D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.429{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-110MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.048{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.047{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.047{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.027{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.027{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.027{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.011{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:37.995{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F439-62DF-4A05-000000006F02}8176C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:39.293{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238ABD651D8837DCE342615FC7F19C1,SHA256=C2EDDE94B9E628260575012C6B3DD07200502BC1268E8FAC3CD98572427E68CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.446{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.364{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:39.348{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:40.387{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5FE40EBA7648901E39670F5B7465C3,SHA256=9920E3041F883EB825C5BC924001541BB02DF3A4D1E249CCD946202D6841592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:40.025{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F05EF13DC49E41D648497BEBCA418BF,SHA256=D875482324170F25BB5D58FC5198CF571EE49AD01B246AA62258514CB994519E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:41.481{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4709477BB9FF403565EE933D1784FD5D,SHA256=18ED2EE4F0F7CA29C8D0FF03DF0C8139B56BFB36F244CE3E1DB91E6A4F96E19E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:38.207{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64981-false10.0.1.12-8000- 23542300x8000000000000000280438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:41.078{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970069AAC4AA50D81CBE24530F6E6FBF,SHA256=18B5E299C010FD72563607B4A95783B3290DD9482E587F49C63697731F69087F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:42.574{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7BE1AE18B6BD830371804A10E6C2CC,SHA256=908D251440C780E77BF3AFFE1C847667130F63F996C626147725676D3E72BE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:42.198{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F4C4B68A9ED57649619C8D47E655B8,SHA256=A0D94E3D8BF9D47CF316B77B811A16E770D5176A5C9CC2818FB73B2BFE13964C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:41.193{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51048-false10.0.1.12-8000- 23542300x800000000000000053619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:43.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DF782364C1E1CFC1B0E6BA5D017AC3,SHA256=68FC567FE6BE6A21C82EDDDE6AD83F1C609D53BC37D0EB5BA16714DDCCF3E1A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.652{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.652{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.652{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.648{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.646{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.631{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.615{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.552{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.552{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.515{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-F43F-62DF-4B05-000000006F02}15601420C:\Windows\system32\cmd.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.514{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4D05-000000006F02}6248C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.499{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.484{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.468{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.468{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.468{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.453{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.453{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.448{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.447{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.447{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.446{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.415{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.415{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.400{F81F30E6-F43F-62DF-4C05-000000006F02}68327488C:\Windows\system32\conhost.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.400{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4C05-000000006F02}6832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-F163-62DF-1F04-000000006F02}22647536C:\Temp\dcrat.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.390{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.384{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F43F-62DF-4B05-000000006F02}1560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:43.284{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BD1F3CD0AFB25CE2C5AFFD7834F8F4,SHA256=0E77374D06CDD31595DE45B01CB6CD379873384A83BB79E1679349F771228049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:44.762{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827AEA77E0BC12632552AF2E65CE3EC2,SHA256=F4720C9551149BA2127DBEE3C21FE47BAF8F6D6799ED35EC60DCEBDB08141EE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.483{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82AD171F300020435910A6016F2AD91A,SHA256=AFDB855407E7455674CD9740D75882166A1313427297E8104DB8C33454007A5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.430{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.315{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C3D3FED6A61B6FA8B04DA02E0A4D14,SHA256=83EDC43C0371FF20E33021D4C5C8F6D73C819D5E8A0F6F518B6F5449DAB000CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.015{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD253240D7C1394C0ADEBB5C805B4801,SHA256=91EE35ABA073D033969E418532C7DC4CAFAB3E6A8A2F4304984F6CD429B5303F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:45.856{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E872E8E0EBB5498EC5133FE41B7ACCE2,SHA256=D0601F9F10D030B1782FD501A16E18A28D5FAB2E1B5E782F17DA1DEF069EF5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:45.366{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218E5F9D0B69706642FCE5E78F0C2D5B,SHA256=B5EDB3A322860A8C4D747194F95FA61A0E9B28F3D43D7B521FCA08D2533C2690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:46.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552185B37A8C15D09E226BEB6B3B26A8,SHA256=F43C82B15D781CE7720C328FFA3BA57B4D23D610BBA7E7D32D57349063C57446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.846{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7971F948AE6F4830F429C5A32D9B24B,SHA256=ADA6702D346F0D93ED38035FFE4ACDB7BE4676595B9F8B285B73F406499C75F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:46.043{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.796{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.765{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.712{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.712{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-F442-62DF-4E05-000000006F02}54124424C:\Windows\system32\cmd.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.696{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-5005-000000006F02}10584C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.665{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.649{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.649{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.649{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000280543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:44.210{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64982-false10.0.1.12-8000- 10341000x8000000000000000280542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.612{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.596{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.550{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.497{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.497{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.497{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.481{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7977E8CD26E82BFA48B3762F8C6AF9,SHA256=6DA26115FB62C2D2D99C6270280357A1264AD1D5EFD4E34B947D5C0C90F83674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.428{F81F30E6-D97C-62DF-1500-000000006F02}12282420C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.428{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.412{F81F30E6-F442-62DF-4F05-000000006F02}69324188C:\Windows\system32\conhost.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4F05-000000006F02}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-F163-62DF-1F04-000000006F02}22646652C:\Temp\dcrat.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000280515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.397{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:46.396{F81F30E6-F442-62DF-4E05-000000006F02}5412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.696{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:47.512{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C628D191CDC311BC4D9423DAEB1C923,SHA256=613B9BA62B216FCBD89241CA1AD4081CF7F27CD2A0343D1A00D9E1B44F79991B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:47.793{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9270D7B057A19C24856B5947573507EE,SHA256=9FE6EC0E4F9F2B1FCD36C019C92015F74C4AA60CB8FC0CD48418417F128F643D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:46.099{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51049-false10.0.1.12-8089- 23542300x8000000000000000280583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:48.549{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1580F6DD3120205F1946C2A8B0D843D,SHA256=920C78ADF1E7C13589BA46AE1AF0194EA029D0072CB4481DBCC229B15C30A309,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:47.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51050-false10.0.1.12-8000- 23542300x800000000000000053626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:48.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08F3E83211E0F82B9BB794BA2B79B71,SHA256=F54E7CE80A80860E9B21416273160A6154FD0D19B98E10D9FA49784851F1EDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:49.665{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384B9215FBD4E8D14DBC6BD5454B82A5,SHA256=98F1CAF18035870CF43E2A01034BCA8AB0622671E4E4CA4FE0369E41DE205228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:49.137{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C72CA996C09AB9EDC130F695E42B6BD,SHA256=BCD23D2732776C8A14C0570F7B541EAFF4DD055FB6A4CE32EFC45FA97455A7B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:49.048{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:50.711{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0DD578C897D9F41B4642AE07C04731,SHA256=FD2D94207A27C4E7AA1507EB21D92F5A145CDBEFFFB768B2E39B1E8E1D8FF100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:50.231{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C149BF9A5DD4DE6054F00EF4EE376FB7,SHA256=079647EDD29EF34250685D53AFFF82D359E05F8E73A736FCAC2C0A0F59F4841C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:48.041{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64983-false10.0.1.12-8089- 23542300x8000000000000000280589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:51.763{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263F4B11ABF233F91AF57F86F0C404F9,SHA256=C8E49C98C3A20068DF3AF519AF8831195F4367C98E13F02C1E047F430D9E5BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:51.324{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C964137F7223F0B0381B689109E576E3,SHA256=624DB5CC0B6A194E89CCF0F5A3BB6FDBFD5CA105253A537E0737DD8C7BB6D8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:49.240{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64984-false10.0.1.12-8000- 23542300x8000000000000000280590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:52.796{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA29C1EA351E6B3CF589F0679881A8A,SHA256=D491421F33605D6AE10A827CE91A3F25CBD7E1D7760D579CA50FE828D7F29689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:52.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459AAEDDD267256E1EFCB69E9CC71399,SHA256=BBE07886B92F4336E5B9C94B24BB43AB302CDF4D24E24C36FAA259E53C2C7D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:53.828{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAE76579B65C30A15E309E34FD8BB46,SHA256=2342FB8EF803540B04E3A994994E5B6C81343CE215DF16A63D4AAB2C24B4D9E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:53.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A08B3AB73C08F860E5E6D54C1567D58,SHA256=7C514133E3FDA202B54A3207772B648D6562F217F673726016A1A8DAA094CE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:54.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8A01A8F744A7EAC6D35C20AE2789BC,SHA256=B63FED7BC9F64DA67D73AF3F0E20E80234CE510FA4F2F489399FEF5A23FC3898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.250{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.247{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:53.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51051-false10.0.1.12-8000- 23542300x800000000000000053634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:55.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA12CC3776062F2F1D2F648A292515A,SHA256=CE544C994FF90176714D522695EFD38F0BD8181B8B5797370B14A78A7AF9F5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:54.996{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACDD547768ED3461FCCBCD90BC99489,SHA256=EB800843133707DE69AA6D900F6F1AC26052692E0BA6DBE050A8816A52CC244E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:56.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD866E15044225EAB32E427A307518F,SHA256=87E992313A06DB045C6922E577FE224F30F9460C406880BB822C43C3714A8F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000280603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.448{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF68cccb.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:56.043{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AC12F3CF32951BC48BC3FB3E2707D2,SHA256=AB270D40893315082E74B627488D5DD281A86954096B9F86B201D797798C5598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:57.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC3495B1DECB85DF8F43A0668EA67F0F,SHA256=C3B32A8FD2F6F35FE3474F275D77CD933B6D5EE15B865EB06384F689BE874FE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000280606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:55.107{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64985-false10.0.1.12-8000- 23542300x8000000000000000280605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:57.094{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49E1FFF23524F1F81E751DCCACA1228,SHA256=3F3E68596A310054B43DCD19354C89600CD52D748E42A0C58E39AE98D25BA47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:58.980{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1027F296CDDE70B752CCE2F11609C24,SHA256=6F380DEC764DF8F88C892857F66F1F4C10A9D5A9C1B0382CF9715E19E3D4638D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:58.144{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594FC098A790AB4700249503E4CB8A16,SHA256=9B4B88B862AA7BD931975E20E365465E94F9C5490012D6D8DC59033DE200DDBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:03:58.302{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51052-false10.0.1.12-8000- 23542300x8000000000000000280616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:03:59.194{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73082A49CD94FD7686821A1733F02BFB,SHA256=AA77A48BA9CDF1997076A86F8D5E383ED4ECB701B8D46949E80C4B027B72BF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:00.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC21621066C25429546F4EBB5C76F35,SHA256=C61163A9E78985BA2ADB5662CC1D0F67ADDCA253266B046E30BD6F2A33C8EE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:00.224{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9847702E1331F041627AF6244CC814F3,SHA256=6ED7075DE1BD64A1590D8CC5D7B0D4E44CA06471FBCCECD7260195B814AAA98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:01.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CA65D44AB3A9D8F7A8590AD7402C67,SHA256=6F5CE5CCF6C5A6B8D8B38DA0E033650009AE7B244D0315873C9032C998E0D035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.476{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B81B5A6591A864E343D987E14166D42,SHA256=D6D524C178AA9C47E3F75F0B829E76F0F0084A4D82B41FE07042068EE151D29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.261{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFB2292349D9C8FC9ED05D3D78A9491,SHA256=A572CDEDB4ACFB1C78580EE51B92F034D08D6ADA9D30D1126D744C310EBE507C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:02.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F65D34CD134375871B2286452F5079,SHA256=114E039CF7877515FD4BAE014BF16A7DBC33667C9CBAD7916DC8CEACE761E565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:02.297{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAFEDEEBA4EC676B8C857E5C9CEBAC2,SHA256=17C9FD2AB08146CFC86C01304E3F99B4631DBD7F3EEDC212A38EDDA623BF803A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:03.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BC75A1C318B5EA57FD5BE00F8EEDC2,SHA256=63DCADF8D8804CCC40833D221418645131BA85B3B8B0B3BFBB393CA21453A3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:03.797{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE872C8985BF202CB1BFFAD8A81AE239,SHA256=845F1A3ED6FCB2FB6B5F2D651A65683567CA8E15FE1DCF53B6DDA965349FB504,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.139{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64986-false10.0.1.12-8000- 23542300x8000000000000000280621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:03.328{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659C25941DBAD4E0AD56BF1F45764507,SHA256=3607CEB578DFB6648F732E5BD39E45EA521C23AE38C0D73912B8C3B7DFD06FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:03.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51053-false10.0.1.12-8000- 23542300x800000000000000053644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:04.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B3428424FDDD10E88F11289F1ACE770,SHA256=261D6FB66B734251E7EBD10FB9740EE7E5C33CE46E425A1773DBFE9D8DE89434,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.726{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64987-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000280625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:01.726{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64987-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000280624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:04.381{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186FC12FCBE3EDC67DFEA70F121C262F,SHA256=C029F6F7AA722984754940E29FC0CC13F1C521C53A346404905E1294D636E8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:05.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A48786E00835FDAF4E51D8D70F96BD6,SHA256=695A6B73F96D1E43ABE0B8145EAA8B8A7D629159D65DCD454E6F41DD4E8CED4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:05.544{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5473CA1650776881255DC3DA3813C987,SHA256=D856464700FE0D7DC1CCE335EEEF50548B2769C17EE9B07AD028D677C725AB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:06.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9DA5C8255F20B82F71C34BC1848A50,SHA256=0EB7CFB79F32FCB7E4F6D95CB53608D0A7AB1BEBB464DD8AD563C20B97BFE60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:06.594{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3EA8C357173D9D0AB4DE4BFA8D9F10,SHA256=588019C1134ED8EBB6D11B21A393BC14CD02F3516341512981BE851DA887A049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:07.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAF9CF1E1A1170D8C4BC5D5C24D0538,SHA256=DF4CDEE0ADCC763A2FD39672B1CB833C80184FD691398E984E42A7FBAEB2FD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:07.625{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED3D8A454359C78BFFB97F09F29E334,SHA256=6398312A9B008780D6A46296970B155B9E264FD24737F2C0911B9A085BF6E51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:08.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D777945B6AC10E5CF01F34DE9C4D3E,SHA256=E37DE0F611E74A4D54F5C55CFF727E469587C6ADF208B944CA535C10FA909DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:08.663{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E5AEFFFA1B800E0903B8BAB827EDCA,SHA256=E51719D30663A75DB836F3D1749B23D7F547B21E088C8B5C93D69D878C877822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:09.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4229C15CC075D823A354617DB0B221,SHA256=A83D9307C678D4EFF43722AC9ED06AA25CAA866C46EECBC1E4A973A060AABEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:07.107{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64988-false10.0.1.12-8000- 10341000x8000000000000000280633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:09.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:09.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:09.708{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92BC6D052F6161BD7375E7C4561BC561,SHA256=B294825C7581B6A7712F4FF864628F57C36C281B7BDB07EA644D7B098DD6BE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:10.795{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4985BB19E93254AF9207ECA408E5B27,SHA256=70CCC381841A2A58ED1A29D4D956A99907DE4980B91793B7C86394D38F03A7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:11.843{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4642CD6ADDBE8A88294C773D4B8A373D,SHA256=E9FC8B4E34FCD23F0B95525C86E5B7AD1B9037739751C01A6A10350AE2D0F203,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:09.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51054-false10.0.1.12-8000- 23542300x800000000000000053651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:11.012{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A6C7EFA85414D18BB9AF6673720964,SHA256=546E2441D583FCE5B971E44FFE4A46F7631B6904EAABFDE6FF27C0EC2AAE128B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:11.263{F81F30E6-D97C-62DF-0D00-000000006F02}9123628C:\Windows\system32\svchost.exe{F81F30E6-D9BC-62DF-8700-000000006F02}4224C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:12.893{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8C8FEEEDFA982C5DF88AF26501D2A3,SHA256=D0EB7FCD06A8097754ADC4EBDDB277C6E4E80F506550CC77997EC5E067774836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.887{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.888{53069400-F45C-62DF-9C03-000000007002}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.371{53069400-F45C-62DF-9B03-000000007002}34762368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.215{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.216{53069400-F45C-62DF-9B03-000000007002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:12.105{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A003C871B331C7F933B305CC89032B3,SHA256=8BDEB2D8CAA0494210A7F98DDC8B7772D1EF87B11BED14F3B96D9C4CE4937D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:13.940{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AFDC7F2BB40DE052BED0D499DD897F,SHA256=AA3CFFBC39163EA6302AE7EC13FF73A0020777D2D07DFDB7D78D222DDF2D8163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81DF041D2C4DE1C0DF5BDAE5CE95483,SHA256=67EDED0B180A89AB979DB5051F4AF7B6F3EF8DFABF2B9ABEE28027DFDD9D2C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.605{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8306D70B435C855875577C339EF52856,SHA256=A1D49560EEB117774B53537FD22E3B9B0FD10F20C86B00BDDDA635346FF97BC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.559{53069400-F45D-62DF-9D03-000000007002}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:13.059{53069400-F45C-62DF-9C03-000000007002}23641188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:14.990{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79DFF0971A960925777D4D1319C8B26,SHA256=B05E6B2C79E7CFB06896D87F04E07CB10A758146DF5E9D4E7D846143C834ABF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.934{53069400-F45E-62DF-9F03-000000007002}8523748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.733{53069400-F45E-62DF-9F03-000000007002}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.730{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5412460DDB5A035BDF894C7AFCADB8B8,SHA256=9578C68D7081C981C945E82B0AECF29DE5B3CF091B20BDAFF9A68B0E1B358D0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.418{53069400-F45E-62DF-9E03-000000007002}3664184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.230{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:14.231{53069400-F45E-62DF-9E03-000000007002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD83C657B52258C6D13E03AC38BA8AC8,SHA256=62ED1F274062B1C8336E2AFC6A297290AD4D646CEB8771E487FFE6D17D569105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.902{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.903{53069400-F45F-62DF-A103-000000007002}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000280641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:13.088{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64989-false10.0.1.12-8000- 10341000x800000000000000053738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.402{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.403{53069400-F45F-62DF-A003-000000007002}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:16.980{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12980E6FE408A9F2726BBCEE4849703,SHA256=8F3A33E5ED604180B2018219736A9D101BE42DA6DE37140420A598223EBD3E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.989{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.974{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.942{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.942{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.939{F81F30E6-F460-62DF-5205-000000006F02}94169488C:\Windows\system32\conhost.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.921{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-F163-62DF-1F04-000000006F02}226410744C:\Temp\dcrat.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.916{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:16.038{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE1D9070DD9FE8ABEDBCB0E2AE54A9D,SHA256=60D56F3805CCA74ADEF83E8F938D706CCD230B0A62E5CA2788DDA8E432E200CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.389{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2796AEBC64A9183505A0E63F3B2045,SHA256=AB37590FA1D21BFE80347023A4E110D10B7BE3ACE8521AC793900AB2B77A2492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.173{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.158{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.140{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.139{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.139{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.139{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.105{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.089{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.089{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:17.293{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=03345DD0ED23B6B34189A8F451EE3267,SHA256=C60C10D8AC128ADAB2B60367D406B6DFC30ECC9126DA33E78B79D84EF2913276,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:15.270{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51055-false10.0.1.12-8000- 10341000x8000000000000000280677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.042{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.042{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.041{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.041{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.041{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.040{F81F30E6-F460-62DF-5105-000000006F02}94009420C:\Windows\system32\cmd.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.040{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.040{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F461-62DF-5305-000000006F02}9612C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F460-62DF-5105-000000006F02}9400C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:17.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F460-62DF-5205-000000006F02}9416C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.242{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.120{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56D9824410A78544885AFBA8452FA2C,SHA256=0BD68DAA719F3671DCB807D5C7E2B603523CD963400F62AD30194D48C714354A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:18.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6BC08ADD0C1538AB9C550B5E1A127C,SHA256=B382B0F9717D9729A0C35FC62680B5923B1AF11431AD3E5765B844470DDE9A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:18.004{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=756DE43D46498A5AF978A9FAD8873738,SHA256=39E2813A563171E0553DD1814C2090B77E0C3C6809E1642DBFFC562DF13B9A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:19.223{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226A9D09493E496F21464E9F89163144,SHA256=303595295E9A67F8ADEAD6396E90CC1E9C50D68029C17EC4648C36B3034C80BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:19.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141B1C56D98E82CA0C855AE38841F7AF,SHA256=2A184A77AB9BF27C0056A20DE4E0D010E22FAC698CFFC4019F0B938D7123DA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:20.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9EDA5CAF76FD54090AA21703283E41,SHA256=8C01CA95EDD028B4B18AE2EC8EB09E9F9B0A5F0667A7849200A333C73329746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.976{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF330F47C69B98C307FBFD09581D4415,SHA256=AA322D316C92F1440B59E7F384107ED8E26D700FCC531E8A654EBFCED995F036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000280767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.877{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.861{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.845{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.807{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.776{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.723{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.723{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-F464-62DF-5405-000000006F02}1015610152C:\Windows\system32\cmd.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000280736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.683{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000280735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.676{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5605-000000006F02}1196C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BD-62DF-9000-000000006F02}46887284C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.644{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.623{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.623{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-F464-62DF-5505-000000006F02}101609336C:\Windows\system32\conhost.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5505-000000006F02}10160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.607{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000280711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000280710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-F163-62DF-1F04-000000006F02}226410084C:\Temp\dcrat.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000280709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.605{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000280708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.591{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F464-62DF-5405-000000006F02}10156C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000280707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:20.260{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F951E396D8F7E7C7B34ACD399746420,SHA256=E9C53B9E6116203469FE39219204358AC566D8851E14CBA060B736329AD3FE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:21.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626C0D70514954DE517CDB68F9A51698,SHA256=AA8930FFB14CF182789AF57B2C46580E58AD8CF67F6EA0AE0709B348CB3FF969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:21.292{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DA7C469A393B3DA27C003F9CF1F146,SHA256=37050448D4C7D470D9E6DF424F68015D9F6F53A5D4E23F632D3ABCAB4BD0CCD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:21.224{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51056-false10.0.1.12-8000- 23542300x800000000000000053760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:22.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDC0C0ACAED53313F014CFC8CA8AA80,SHA256=D4F865904C79C96A8E17E6331F7C76B4E9BD58828EDFE53DF69F46E6B93CC0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:22.323{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1513B0C3793BE7B3983AA030E0DB46C6,SHA256=E824795603C37A85AFD4B5C8F3AFEA9B0FCCFED0CDD5631E9ADDAA82EEFAD5DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000280770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:19.073{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64990-false10.0.1.12-8000- 23542300x800000000000000053762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:23.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51F61C1437C020C82CEDE7123470DE1,SHA256=BD989461007853A398E85894128E79E35F3C790D2CF2CE694584A184CA78C10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:23.374{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D441A7A8D28EC3D646C8767E2005EFC4,SHA256=C48A8B2CAEA82C64718A62050C092893878F1ED161DF4AB3D28C45C732195508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:24.746{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C6D890CFB46A54EB03249ACF5248BD,SHA256=3AB2D5F9C17058E3BEF288C95E050E7F9A6FB69CA82A51D856A2BEC5BC3248F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:24.420{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F939919D1CA45D03BCFD3FB26E7016,SHA256=3AE1899EE685BD38EF9030AD202CCF41CD5DFA77FB4D073BA8B5FBCBC5319C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:25.838{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9752785662F91948D17F370219515C,SHA256=4F115ADC4E4D31E63BEA25CD9CA3934C2BD494C5EB1155B18B330F32154E7266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:25.559{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F1513FE185F45092A17A3AE95C4A6A,SHA256=CC17F4778A9347248B34417A54329353072BE3642B51CB97E672BF8A5D9B28DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:25.705{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-111MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:26.929{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC77CD26A05CFC7F47365004E4ABF9D,SHA256=FC94E4A5D4A53A7A2A8F9DA1A8D548F287197A3F9B1D995ABD5DB4828EF3EF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:26.589{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5922205ABFB9DFC01971C5DB550016F5,SHA256=215802F3F312EDC915204F3F4E804BDD3645EEBCE37080ECF3110B07CFD8E3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:26.713{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:27.737{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25BC9A6B75E1084E1E9A5D611E01C2F,SHA256=E530AFCC59C0CB7382855D7E63D9799EB882B031E2392A2E09E3B9C10E6A8C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:26.300{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51057-false10.0.1.12-8000- 354300x8000000000000000280776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:24.204{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64991-false10.0.1.12-8000- 23542300x8000000000000000280778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:28.787{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E0F68FA8D328F50F81EC0CE2F7975D,SHA256=FF97D11644FD617198D3E4B6FDC4993A7B76A5CF18BA291075983A3ED8465CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:28.025{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9BA4F6579568CFB765D0EE37DC7A20,SHA256=120BC70682E1DFCF76D2EA959455EBF97270ECB534460FE77BA5A778133090A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000280779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:04:29.821{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCE392FC854FDEC54F3815CF011BDBC,SHA256=2F66893127E599C4C303A4B527EC44B1F757CBECE80DCA9D9D36110C808C3617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:29.119{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E134B1BB25D641947DA1A826CA69205,SHA256=8149D44F0D85F59E7C48782C362F132E151CA840C173F5F33A5BDF1E07F447CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:04:30.213{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774AEB32C776F3B5294A2DC5B8AA5CBF,SHA256=4247F3A660A93AD277F6F219DEFD7D6E76A8E7F430D5014BF48CF4E2221926F8,IMPHASH=00000000000000000000000000000000falsetrue